CVE-2026-49233 | THREATINT

Description

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

PUBLISHED Reserved 2026-05-28 | Published 2026-06-08 | Updated 2026-06-08 | Assigner NLnet Labs

HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

affected

0.15.2 (semver) before *

unaffected

Timeline

2026-03-28:	Issue reported
2026-06-08:	Fixes released

Credits

X41 D-Sec GmbH finder

References

www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt vendor-advisory

cve.org (CVE-2026-49233)

nvd.nist.gov (CVE-2026-49233)

Download JSON