CVE-2026-20613: Container and Containerization archive extraction does not guard against escapes from extraction base directory.

January 22, 2026

The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames.

References

github.com/advisories/GHSA-cq3j-qj2h-6rv3
github.com/apple/containerization
github.com/apple/containerization/commit/3e93416b9a6d7b4c25fff7e9dea22a9ca687ee52
github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3
nvd.nist.gov/vuln/detail/CVE-2026-20613

Detect and mitigate CVE-2026-20613 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →