Skip to main content

K3s CVE-2026-54250

| EUVDEUVD-2026-39512 MEDIUM
Path Traversal (CWE-22)
2026-06-25 GitHub_M GHSA-jxr7-mqhw-9p98
5.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.8 MEDIUM
AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
vuln.today AI
5.8 MEDIUM

Administrator must locally restore the archive (AV:L, PR:H, UI:R); arbitrary write causes integrity and availability harm but no direct data disclosure (C:N).

3.1 AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 20:03 EUVD
Analysis Generated
Jun 25, 2026 - 18:59 vuln.today

DescriptionCVE.org

K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.

AnalysisAI

Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft zip with path-traversal member names
Delivery
Deliver malicious archive to K3s admin
Exploit
Admin executes etcd snapshot restore
Execution
K3s decompresses without path sanitization
Persist
Attacker-controlled files written to arbitrary filesystem paths
Impact
Overwritten files trigger privileged code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: (1) the attacker must be able to deliver a maliciously crafted zip archive to a K3s administrator, and (2) the administrator must actively execute an etcd snapshot restore operation using that archive. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.8 (Medium) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to influence which etcd snapshot archive a K3s administrator restores - for example, by compromising a backup storage location, staging a malicious file on shared storage, or social-engineering the administrator - provides a crafted zip file containing entries with names like '../../var/spool/cron/root'. When the administrator executes the K3s etcd snapshot restore command against this archive, K3s extracts the malicious entry to the traversed path, potentially placing a cron job or overwriting a system binary that executes with root privileges on the next scheduled run or service restart. …
Remediation Upgrade K3s to one of the vendor-released patched versions: 1.35.3+k3s1 (v1.35 branch), 1.34.6+k3s1 (v1.34 branch), or v1.33.10+k3s1 (v1.33 branch), as documented in the GitHub Security Advisory at https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-54250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy