Skip to main content

Routinator CVE-2026-49233

| EUVDEUVD-2026-35063 HIGH
Path Traversal (CWE-22)
2026-06-08 NLnet Labs GHSA-33mj-99mg-8g73
8.3
CVSS 4.0 · Vendor: NLnet Labs
Share

Severity by source

Vendor (NLnet Labs) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NLnet Labs) · only source for this CVE.

CVSS VectorVendor: NLnet Labs

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 16:51 vuln.today
CVSS changed
Jun 08, 2026 - 15:37 NVD
8.3 (HIGH)
CVE Published
Jun 08, 2026 - 12:58 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

AnalysisAI

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync URIs whose module component contains '..' sequences, enabling read/write access across the entire Routinator rsync cache filesystem. The flaw is network-reachable and requires no authentication, and no public exploit identified at time of analysis. CVSS 4.0 of 8.3 reflects high integrity and availability impact with an attack requirement (AT:P) reducing it from critical.

Technical ContextAI

Routinator is NLnet Labs' Relying Party software for RPKI (Resource Public Key Infrastructure), used by network operators to validate BGP route origins against signed cryptographic data published by RIRs and resource holders. To collect this data, Routinator fetches repositories over rsync and RRDP, mapping remote rsync URIs (rsync://host/module/path) into a local cache directory tree. The vulnerability is a classic CWE-22 Path Traversal: the module component of a remote rsync URI is concatenated into the local cache filesystem path without sanitizing '..' sequences, so a malicious or compromised upstream repository can direct writes/reads outside its intended subdirectory. Affected component identified by CPE cpe:2.3:a:nlnet_labs:routinator (all versions prior to the fix).

RemediationAI

Vendor-released patch: upgrade Routinator to 0.15.2 or later per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt, which is the primary and recommended fix. If immediate patching is not possible, restrict the set of trust anchors and rsync publication points Routinator is configured to fetch from to those operated by trusted RIRs only (this reduces but does not eliminate exposure, since a compromised RIR-adjacent repo could still trigger the issue), and consider temporarily preferring RRDP over rsync where the deployment supports it to narrow the attack surface against the rsync code path. Monitor the Routinator cache directory for unexpected files or paths outside expected module subdirectories as a detective control, accepting that this is reactive rather than preventive.

CVE-2020-17366 HIGH POC
7.4 Aug 05

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability

CVE-2026-49235 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu

CVE-2026-49232 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg

CVE-2026-49234 HIGH
8.2 Jun 08

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon

CVE-2024-1622 HIGH
7.5 Feb 26

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q

CVE-2023-39915 HIGH
7.5 Sep 13

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

CVE-2022-3029 HIGH
7.5 Sep 13

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and

CVE-2021-43174 HIGH
7.5 Nov 09

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r

CVE-2021-43173 HIGH
7.5 Nov 09

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans

CVE-2021-43172 HIGH
7.5 Nov 09

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne

CVE-2021-41531 HIGH
7.5 Sep 21

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length

CVE-2023-39916 MEDIUM
6.5 Sep 13

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible

Share

CVE-2026-49233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy