CVE-2026-35583: Emissary has a Path Traversal via `Blacklist` Bypass in Configuration API
The configuration API endpoint (/api/configuration/{name}) validated
configuration names using a blacklist approach that checked for \, /, ..,
and trailing .. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-35583 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →