CVE-2026-26187: lakeFS vulnerable to path traversal in local block adapter allow cross-namespace and sibling directory access

February 13, 2026

Two path traversal vulnerabilities in the local block adapter allow authenticated users to read and write files outside their designated storage boundaries.

References

github.com/advisories/GHSA-699m-4v95-rmpm
github.com/treeverse/lakeFS
github.com/treeverse/lakeFS/commit/cbc106275357302a834280f133265dc39f1384ce
github.com/treeverse/lakeFS/releases/tag/v1.77.0
github.com/treeverse/lakeFS/security/advisories/GHSA-699m-4v95-rmpm
nvd.nist.gov/vuln/detail/CVE-2026-26187

Code Behaviors & Features

Detect and mitigate CVE-2026-26187 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →