CVE-2026-26187: escaping the Lake with a Path Traversal Two-Step
Vulnerability ID: CVE-2026-26187
CVSS Score: 8.1
Published: 2026-02-13
A critical path traversal vulnerability in the lakeFS Local Block Adapter allows authenticated users to break out of their storage namespace boundaries. By exploiting a weak prefix validation check and a namespace logic error, attackers can read and write files in sibling repositories or unrelated directories on the host filesystem.
TL;DR
lakeFS failed to properly sanitize file paths in its Local Block Adapter. Due to a missing trailing slash in a prefix check and loose namespace validation, attackers can use ../ sequences to access files outside their repo. Fixed in v1.77.0.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-26187
- CVSS Score: 8.1 (High)
- CWE: CWE-22 (Path Traversal)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Affected Versions: < 1.77.0
- Fix Version: 1.77.0
Affected Systems
- lakeFS (Local Block Adapter)
-
treeverse/lakeFS: < 1.77.0 (Fixed in:
1.77.0)
Code Analysis
Commit: cbc1062
Fix path traversal in local block adapter
func (l *Adapter) verifyRelPath(p string) error {
- if !strings.HasPrefix(filepath.Clean(p), l.path) {
+ if !strings.HasPrefix(filepath.Clean(p), l.path+string(filepath.Separator)) {
return fmt.Errorf("%s: %w", p, ErrBadPath)
}
return nil
Exploit Details
- Patch Test Case: Go test case demonstrating reading a secret file from a sibling directory.
Mitigation Strategies
- Strict Prefix Validation with Separators
- Namespace-level Path Anchoring
- Input Sanitization via filepath.Clean
Remediation Steps:
- Upgrade lakeFS to version 1.77.0 or later immediately.
- Audit existing Local Block Adapter configurations for sibling directories that might have been exposed.
- If unable to upgrade, restrict access to the lakeFS API to trusted networks only.
References
Read the full report for CVE-2026-26187 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)