Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:H because exploitation requires a trusted mTLS cert or join token; S:C and I:H/A:H because cluster-wide state and daemons beyond the local node are impacted.
Primary rating from Vendor (canonical).
CVSS VectorVendor: canonical
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state.
AnalysisAI
Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the /var/snap/microceph snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on name and LocalName parameters in cmdRemotePut, permitting .. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of either a trusted cluster mTLS certificate (as held by enrolled MicroCeph cluster members) or a valid cluster join token - these are the only two credential types the description identifies as granting the necessary trust level. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 (Medium) is driven primarily by PR:H - exploitation requires possession of a trusted cluster mTLS certificate held by an enrolled cluster member, or a valid join token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised cluster member possessing a valid mTLS certificate sends a crafted PUT request to the remote-import API with a `name` or `LocalName` parameter containing a path traversal sequence such as `../state`. The unpatched API constructs a filesystem path from the unsanitized input, writing or overwriting files in unintended directories within `/var/snap/microceph`, which corrupts cluster configuration state and causes one or more MicroCeph daemons to crash or behave erroneously. … |
| Remediation | Upstream fix available via GitHub PR #758 (https://github.com/canonical/microceph/pull/758); a released patched snap version is not independently confirmed - monitor the Canonical MicroCeph snap store channel for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37990
GHSA-xg3j-c7q4-f9ph