Skip to main content

Apache Ivy CVE-2026-26032

CRITICAL
Path Traversal (CWE-22)
2026-07-15
Share

Severity by source

vuln.today AI
6.5 MEDIUM

Network-reachable via repository fetch but AC:H (attacker must control a trusted repo); PR:L for required repo write access; UI:R for mandatory developer-initiated build; S:C as traversal escapes buildRoot; I:H for arbitrary file overwrite; A:L for potential build disruption.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 16:20 vuln.today
CVE Published
Jul 15, 2026 - 15:34 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Path traversal in Apache Ivy's PackagerResolver (versions 2.0.0 through 2.5.3) allows an attacker with write access to a packager repository to overwrite arbitrary files outside the configured buildRoot directory by embedding '../' sequences in module coordinates such as organisation, name, or revision. The overwrite occurs during the Ant-script-driven repackaging phase that PackagerResolver triggers on artifact download. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to packager repository
Delivery
Inject ivy.xml with '../' coordinate sequences
Exploit
Victim build triggers PackagerResolver resolution
Execution
Ivy constructs traversal path from coordinates
Persist
Ant repackaging script writes file outside buildRoot
Impact
Overwrite arbitrary file on build host

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The Apache security team rated this vulnerability moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a packager repository (e.g., a compromised contributor account or a malicious repository added to the Ivy resolver chain) adds a module with an organisation coordinate such as 'com/example/../../../etc' and a crafted packager.xml. When a developer or CI pipeline triggers an Ivy build that resolves this module, PackagerResolver constructs a path outside buildRoot and the Ant repackaging script overwrites a target file - for example, a shell script or SSH authorized_keys file - with attacker-controlled content. …
Remediation Upgrade to Apache Ivy 2.6.0, released July 14, 2026, available for download at https://ant.apache.org/ivy/download.cgi. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache Ivy versions 2.0.0-2.5.3 and verify access controls on packager repositories restrict write permissions to authorized personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-26032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy