Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (NLnet Labs) · only source for this CVE.
CVSS VectorVendor: NLnet Labs
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
AnalysisAI
Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync URIs whose module component contains '..' sequences, enabling read/write access across the entire Routinator rsync cache filesystem. The flaw is network-reachable and requires no authentication, and no public exploit identified at time of analysis. CVSS 4.0 of 8.3 reflects high integrity and availability impact with an attack requirement (AT:P) reducing it from critical.
Technical ContextAI
Routinator is NLnet Labs' Relying Party software for RPKI (Resource Public Key Infrastructure), used by network operators to validate BGP route origins against signed cryptographic data published by RIRs and resource holders. To collect this data, Routinator fetches repositories over rsync and RRDP, mapping remote rsync URIs (rsync://host/module/path) into a local cache directory tree. The vulnerability is a classic CWE-22 Path Traversal: the module component of a remote rsync URI is concatenated into the local cache filesystem path without sanitizing '..' sequences, so a malicious or compromised upstream repository can direct writes/reads outside its intended subdirectory. Affected component identified by CPE cpe:2.3:a:nlnet_labs:routinator (all versions prior to the fix).
RemediationAI
Vendor-released patch: upgrade Routinator to 0.15.2 or later per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt, which is the primary and recommended fix. If immediate patching is not possible, restrict the set of trust anchors and rsync publication points Routinator is configured to fetch from to those operated by trusted RIRs only (this reduces but does not eliminate exposure, since a compromised RIR-adjacent repo could still trigger the issue), and consider temporarily preferring RRDP over rsync where the deployment supports it to narrow the attack surface against the rsync code path. Monitor the Routinator cache directory for unexpected files or paths outside expected module subdirectories as a detective control, accepting that this is reactive rather than preventive.
More in Routinator
View allAn issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability
Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu
Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg
Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q
NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.
In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length
NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35063
GHSA-33mj-99mg-8g73