GHSA-WCMJ-X466-56MM: Arbitrary File Write via UNIX Symbolic Link Following in OpenTofu
Vulnerability ID: GHSA-WCMJ-X466-56MM
CVSS Score: 6.1
Published: 2026-06-23
A UNIX symbolic link following vulnerability exists in the provider cache installation mechanism of OpenTofu. This flaw allows an attacker with control over the repository files to write files outside of the intended workspace boundary during initialization.
TL;DR
An input validation flaw during provider extraction in OpenTofu allows pre-seeded symbolic links to redirect file writes to arbitrary paths on the host system, enabling arbitrary file write outside the workspace.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-61
- Attack Vector: Network
- CVSS v3.1: 6.1 (Medium)
- Impact: Arbitrary File Write
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- OpenTofu
-
github.com/opentofu/opentofu: < 1.10.10 (Fixed in:
1.10.10) -
github.com/opentofu/opentofu: >= 1.11.0, < 1.11.7 (Fixed in:
1.11.7) -
github.com/opentofu/opentofu: >= 1.12.0-alpha1, < 1.12.0 (Fixed in:
1.12.0)
Code Analysis
Commit: 78379b5
Fix arbitrary file write via symlink following in local provider installation
Mitigation Strategies
- Upgrade OpenTofu deployments to patched versions 1.10.10, 1.11.7, or 1.12.0
- Enforce clean build steps in pipelines to delete local .terraform folders prior to execution
- Implement non-root execution guidelines for CI/CD runners
Remediation Steps:
- Audit all automation pipelines and check OpenTofu executable versions
- Upgrade OpenTofu to 1.10.10, 1.11.7, or 1.12.0 to introduce the Lstat checks
- Incorporate directory cleaning scripts ('rm -rf .terraform') in build setup files
- Configure operating system security controls to restrict file writes to the build workspace root
References
Read the full report for GHSA-WCMJ-X466-56MM on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)