Python
CVE-2026-34726
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root.
As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE.
Details
The relevant code path is:
- the template defines
_subdirectory - Copier renders that string
template_copy_rootreturnsself.template.local_abspath / subdir- Copier walks that directory as the template root
Relevant code:
- <https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/copier/_main.py#L1056-L1062>
- <https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/copier/_template.py#L504-L513>
The effective sink is:
subdir = self._render_string(self.template.subdirectory) or ""
return self.template.local_abspath / subdirThere is no check that the resulting path stays inside the template directory.
The documentation for _subdirectory describes it as:
> Subdirectory to use as the template root when generating a project.
and explains it as a way to separate template metadata from template source code:
<https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/docs/configuring.md#L1582-L1646>
That description fits values like template or poetry, but not ...
PoC
PoC 1: _subdirectory: .. escapes to the parent directory
mkdir -p root/template dst
echo 'loot' > root/loot.txt
printf '%s\n' '_subdirectory: ..' > root/template/copier.yml
copier copy --overwrite root/template dst
find dst -maxdepth 3 -type f | sort
cat dst/loot.txtExpected output includes:
dst/loot.txt
dst/template/copier.yml
lootThis shows Copier is rendering from root/ rather than from root/template/.
Impact
If a user runs Copier on an untrusted template, that template can change the effective template root and make Copier render files from outside the intended template directory.
Practical impact:
- template-root escape via
.. - rendering of parent-directory files that were not meant to be part of the template
- possible without
--UNSAFE
AnalysisAI
Path traversal in Copier's _subdirectory setting allows template escape without --UNSAFE flag. A malicious or compromised template can use parent-directory traversal sequences (e.g., _subdirectory: ..) to render files from outside the intended template directory, enabling unauthorized file access during template instantiation. CVSS 4.4 (low-to-moderate severity); no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
Copier is a Python-based template generation tool that processes a _subdirectory configuration parameter to set the effective template root directory. The vulnerability exists in the rendering pipeline: the _subdirectory string is rendered as a Jinja2 template, then appended directly to self.template.local_abspath without path normalization or containment validation. The sink is in _template.py where return self.template.local_abspath / subdir concatenates user-controlled subdirectory input to the base template path using Python's pathlib division operator. No check confirms the resolved path remains within the intended template boundary. This is a classic path traversal (CWE-22) where relative path components like .. are accepted and processed, allowing escape to parent directories. The vulnerability affects pkg:pip/copier across versions that do not implement path containment checks.
RemediationAI
Upgrade Copier to the patched version specified in the GitHub Security Advisory (GHSA-85v3-4m8g-hrh6). The fix implements path containment validation to ensure _subdirectory values cannot escape the template root using parent-directory traversal; this likely involves path normalization and assertion that the resolved path is a descendant of the template base directory. Immediate workaround: only run Copier on templates from trusted sources and manually audit _subdirectory values in copier.yml before execution. Review https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6 for the exact patched release version and implementation details.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-85v3-4m8g-hrh6