CVE-2026-24686: go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names

January 26, 2026 (updated January 29, 2026)

go-tuf’s TAP 4 Multirepo Client uses the map file repository name string (repoName) as a filesystem path component when selecting the local metadata cache directory. If an application accepts a map file from an untrusted source, an attacker can supply a repoName containing traversal (e.g., ../escaped-repo) and cause go-tuf to create directories and write the root metadata file outside the intended LocalMetadataDir cache base, within the running process’s filesystem permissions.

References

github.com/advisories/GHSA-jqc5-w2xx-5vq4
github.com/theupdateframework/go-tuf
github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0
github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4
nvd.nist.gov/vuln/detail/CVE-2026-24686

Code Behaviors & Features

Detect and mitigate CVE-2026-24686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →