CVE-2026-24686

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0	Patch
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-27 01:16

Updated : 2026-02-24 19:08

NVD link : CVE-2026-24686

Mitre link : CVE-2026-24686

CVE.ORG link : CVE-2026-24686

JSON object : View

Products Affected

theupdateframework

go-tuf

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-24686", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2026-01-27T01:16:02.790", "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}, {"lang": "es", "value": "go-tuf es una implementaci\u00f3n en Go de The Update Framework (TUF). El cliente Multirepo TAP 4 de go-tuf utiliza la cadena del nombre del repositorio del archivo de mapa ('repoName') como un componente de ruta del sistema de archivos al seleccionar el directorio de cach\u00e9 de metadatos local. A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.4.1, si una aplicaci\u00f3n acepta un archivo de mapa de una fuente no confiable, un atacante puede proporcionar un 'repoName' que contenga recorrido (p. ej., '../escaped-repo') y hacer que go-tuf cree directorios y escriba el archivo de metadatos ra\u00edz fuera de la base de cach\u00e9 'LocalMetadataDir' prevista, dentro de los permisos del sistema de archivos del proceso en ejecuci\u00f3n. La versi\u00f3n 2.4.1 contiene un parche."}], "lastModified": "2026-02-24T19:08:46.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18AEE62D-019F-48BA-ADF7-C7F5C1C72E9E", "versionEndExcluding": "2.4.1", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}