GHSA-X9F6-9RVM-MMRG: Improper Access Control and Volume Mount Isolation Bypass in vantage6 Node
Vulnerability ID: GHSA-X9F6-9RVM-MMRG
CVSS Score: 6.9
Published: 2026-06-05
An improper access control vulnerability in the vantage6 node component allows concurrently running algorithm containers to read and modify sensitive input and output files of other tasks. The lack of strict workspace directory isolation exposes a significant attack surface in multi-tenant or federated environments where untrusted algorithms are executed.
TL;DR
Malicious algorithm containers executed on a vantage6 node can bypass path boundaries to access or tamper with data belonging to other concurrent or historical tasks due to improper mounting isolation.
Technical Details
- CWE ID: CWE-284
- Attack Vector: Network
- CVSS v4.0: 6.9 (Medium)
- Affected Component: vantage6 node
- Remediation: Enforce algorithm whitelisting or upgrade to 5.0.x
- Exploit Status: No public proof-of-concept
Affected Systems
- vantage6 node
Mitigation Strategies
- Enforce strict algorithm whitelisting in node configurations to block unverified containers.
- Upgrade vantage6 deployments to version 5.0.x where directory isolation is hardened.
- Ensure Docker containers are configured to run as non-root users to limit host path traversal capabilities.
Remediation Steps:
- Open the vantage6 node configuration file (config.yaml).
- Locate or add the algorithm_whitelist block.
- Populate the list with trusted container registries and specific image tags.
- Restart the vantage6 node service to apply the configuration changes.
References
- GitHub Security Advisory GHSA-X9F6-9RVM-MMRG
- Vantage6 Security Advisory
- Vantage6 Issue Tracker - Security Advisory Roadmapping (#1932)
- PyPI Vantage6 Project Metadata
Read the full report for GHSA-X9F6-9RVM-MMRG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)