Platform
go
Component
zarf
Fixed in
0.23.1
0.74.2
CVE-2026-40090 describes a Path Traversal vulnerability within the zarf package inspect sbom and zarf package inspect documentation subcommands. This flaw allows attackers to potentially read arbitrary files on the system by crafting malicious packages. The vulnerability affects Zarf versions 0.23.0 up to, but not including, version 0.74.2. A fix has been released in version 0.74.2.
The vulnerability lies in how Zarf constructs output file paths when inspecting packages. Specifically, the Metadata.Name field, which is attacker-controlled data read from the package archive, is used to build the output file path. While this field undergoes regex validation during package creation (^[a-z0-9][a-z0-9\-]*$), it doesn't prevent an attacker from crafting a malicious package that, when inspected, leads to the creation of files in unexpected locations. An attacker could leverage this to read sensitive configuration files, source code, or other data from the system running Zarf. The blast radius is limited to the system executing the zarf command, but the potential for data exposure is significant.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available as of the publication date. The CVSS score of 7.1 (HIGH) indicates a moderate probability of exploitation, particularly given the ease of package creation. The vulnerability was disclosed on 2026-04-14.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Zarf to version 0.74.2 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, a temporary workaround is to avoid inspecting unsigned packages. This significantly reduces the attack surface by preventing the inspection of potentially malicious artifacts. Consider implementing stricter package signing policies to ensure that only trusted packages are inspected. There are no specific WAF or proxy rules that directly address this vulnerability, as it's a local command execution issue. Detection signatures are challenging to create without specific file path patterns, but monitoring for unusual file creation activity during package inspection could be beneficial.
Update Zarf to version 0.74.2 or higher to mitigate the arbitrary file write vulnerability. This version fixes the issue by properly validating user input and preventing file path manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40090 is a Path Traversal vulnerability in Zarf affecting versions 0.23.0 through 0.74.1. It allows attackers to read arbitrary files by crafting malicious packages.
You are affected if you are using Zarf versions 0.23.0 to 0.74.1. Upgrade to version 0.74.2 or later to resolve the issue.
Upgrade Zarf to version 0.74.2 or later. As a temporary workaround, avoid inspecting unsigned packages.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the Zarf project's repository and release notes for the official advisory and details on the fix: [https://github.com/zarf-dev/zarf](https://github.com/zarf-dev/zarf)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.