Skip to main content

Collibra Agent CVE-2026-10621

| EUVDEUVD-2026-33932 HIGH
2026-06-02 cret@cert.org GHSA-j7r9-vcq6-6fv4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 20:25 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
7.5 (HIGH)
Patch available
Jun 02, 2026 - 16:01 EUVD
CVE Published
Jun 02, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.

AnalysisAI

Arbitrary file write in Collibra Agent's restore handler allows remote unauthenticated attackers to drop files outside the intended extraction directory by submitting a crafted ZIP archive that abuses unsanitized path entries during extraction. The flaw affects multiple Collibra Platform SaaS and on-premises release trains and carries a CVSS 3.1 score of 7.5 (integrity-only impact). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but a vendor patch is available.

Technical ContextAI

The vulnerability is a classic Zip Slip / path traversal weakness (conceptually CWE-22 'Improper Limitation of a Pathname to a Restricted Directory', with elements of CWE-23/CWE-29) occurring in the restore handler of Collibra Agent, the component used to manage and restore backups on Collibra Platform deployments. During ZIP extraction the handler concatenates archive entry names onto the destination directory without canonicalizing the resulting path or rejecting '../' sequences and absolute paths, so attacker-controlled entry names can escape the intended extraction root and land on arbitrary filesystem locations writable by the agent's service account. The affected components are Collibra Platform in both SaaS and on-premises form across the 2025.10, 2025.11, 2026.02, 2026.03, and 2026.04 release lines; CPE strings were not provided in the input.

RemediationAI

Apply the vendor-released patches by upgrading to the fixed builds listed by Collibra and ENISA EUVD: SaaS customers should be on at least 2025.10.9, 2025.11.7, 2026.02.6, 2026.03.4, or the corrected 2026.04 fix build (verify exact version with Collibra given the apparent typo in the public source), and on-prem operators should upgrade to at least 2025.10.399 or 2026.03.356 depending on their release line. SaaS tenants are typically patched by Collibra centrally but should confirm their tenant version via the admin console and the CERT/CC advisory at https://kb.cert.org/vuls/id/873170. Until on-prem upgrades are applied, restrict network access to the Collibra Agent management/restore endpoint via firewall or reverse-proxy ACLs so only trusted administrative hosts can reach it, disable or block use of the restore/import-from-ZIP workflow if operationally feasible (trade-off: blocks legitimate backup restores), and monitor the agent's extraction target directory and its parents for unexpected file writes outside the configured restore path. Avoid running the Collibra Agent service as a privileged account to limit blast radius if the path traversal is exploited before patching.

Share

CVE-2026-10621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy