DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29050: CVE-2026-29050: Path Traversal to Command Execution in Chainguard Melange

#security #cve #cybersecurity

CVE-2026-29050: Path Traversal to Command Execution in Chainguard Melange

Vulnerability ID: CVE-2026-29050
CVSS Score: 6.1
Published: 2026-04-23

Melange versions 0.32.0 through 0.43.3 contain a path traversal vulnerability in the pipeline compilation mechanism. By supplying directory traversal sequences in the pipeline[].uses field, an attacker can load arbitrary YAML files from the host filesystem. When these files contain execution directives, they are evaluated within the build sandbox, leading to unauthorized command execution.

TL;DR

A path traversal flaw in Chainguard's melange allows attackers to execute arbitrary commands inside the build sandbox by referencing external malicious YAML files via the pipeline[].uses directive.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Local (AV:L)
  • CVSS v3.1 Score: 6.1 (MEDIUM)
  • Impact: Restricted Code Execution & Arbitrary File Read
  • Exploit Maturity: Proof of Concept
  • CISA KEV Listed: False

Affected Systems

  • Chainguard Melange
  • CI/CD Pipelines utilizing Melange
  • Build-as-a-Service platforms running vulnerable Melange instances
  • melange: >= 0.32.0, < 0.43.4 (Fixed in: 0.43.4)

Code Analysis

Commit: 5829ca4

Fix path traversal in pipeline compiler by validating uses directive

Mitigation Strategies

  • Upgrade melange to version 0.43.4 or later
  • Restrict melange build execution to trusted configurations only
  • Implement pre-build validation scripts in CI pipelines
  • Require manual review for pull requests modifying melange.yaml files

Remediation Steps:

  1. Identify all systems and CI/CD pipelines running melange versions between 0.32.0 and 0.43.3.
  2. Update the melange binary to version 0.43.4 across all build nodes.
  3. Verify the update by checking the installed version using melange version.
  4. Review historical build logs for unauthorized or suspicious modifications to pipeline[].uses directives.
  5. Implement continuous monitoring on repository configurations to detect ../ patterns in declarative pipelines.

References

Read the full report for CVE-2026-29050 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)