Skip to main content

PluginScript CVE-2026-44933

| EUVDEUVD-2026-31074 HIGH
Path Traversal: '.../...//' (CWE-35)
2026-05-20 meissner@suse.de GHSA-w74x-gjhj-gxwp
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:31 vuln.today

DescriptionCVE.org

PluginScript attempts to chroot the plugin to the repoManagerRoot, this root is frequently / (the system root) in standard configurations or when using --root. If the chroot target is /, it is a no-op, allowing the traversed path to execute host binaries (like /bin/bash) with root privileges.

AnalysisAI

Privilege escalation via chroot bypass in PluginScript allows local users to execute host binaries such as /bin/bash with root privileges when the repoManagerRoot is set to '/' (a common default or result of --root). Because chroot to the system root is a no-op, path traversal within the plugin escapes intended isolation. No public exploit identified at time of analysis, but the issue was reported by a SUSE researcher and is tracked in SUSE Bugzilla.

Technical ContextAI

The vulnerability resides in PluginScript's sandboxing logic, which relies on chroot(2) to confine plugin execution inside the directory specified by repoManagerRoot. CWE-35 (Path Traversal: '.../...//') describes the underlying class: when the chroot target is '/' - either by default configuration or when the operator invokes the tool with --root - the system call becomes a semantic no-op since '/' is already the process root. Combined with insufficient validation of relative or traversal-style paths inside the plugin script, the intended jail does not exist, so subsequent path resolution operates against the real host filesystem and arbitrary host executables (such as /bin/bash) remain reachable. Because PluginScript runs with the elevated privileges needed to perform chroot, any code reached through the traversal inherits root.

RemediationAI

No vendor-released patch identified at time of analysis; consult the SUSE advisory at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-44933 for the patched package version once published and apply it on all hosts running PluginScript. Until a fix is available, the most effective compensating control is to ensure repoManagerRoot is set to a real, dedicated subdirectory rather than '/' and to avoid invoking the tool with --root pointing at the filesystem root, which neutralizes the no-op chroot precondition (side effect: existing automation that relies on --root / will break and may need path remapping). As a defense-in-depth measure, restrict execute permission on PluginScript to a small operator group and run the repo manager under an unprivileged service account where the workflow allows, accepting that some repository operations requiring root will then need explicit privilege escalation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/toolbox:13.2-9.114 Affected
SUSE Linux Micro 6.1 Fixed
openSUSE Tumbleweed Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed

Share

CVE-2026-44933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy