go.qbee.io/transport CVE-2026-55828
MEDIUMSeverity by source
Network vector assumed as qbee-agent fetches archives remotely; AC:H because attacker must control the archive source; S:C for filesystem writes escaping the extraction sandbox.
Lifecycle Timeline
2DescriptionCVE.org
Impact
The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archive can be used to write or overwrite files one directory level above the intended extraction path. In the case of qbee-agent, which runs with root privileges, this vulnerability permits a root-privileged file write outside the intended destination.
Patches
The issue has been addressed in version v1.26.25
AnalysisAI
Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an attacker can supply or substitute a crafted tar archive that is processed by the extractTar routine in go.qbee.io/transport. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was provided by the reporter, so risk metrics must be inferred from the description and deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to control or substitute a tar archive processed by qbee-agent - for example by compromising the update distribution server or performing a supply chain injection - crafts an archive containing a symlink entry that points one level above the extraction directory, followed by a regular file entry routed through that symlink. When qbee-agent's extractTar routine processes the archive, its lexical path validator approves the paths, the symlink is created on disk, and the subsequent file write resolves outside the extraction root. … |
| Remediation | Upgrade go.qbee.io/transport to version 1.26.25 or later, which resolves the lexical-only path validation flaw in extractTar. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f9m7-vc86-p6jj