Skip to main content

go.qbee.io/transport CVE-2026-55828

MEDIUM
Path Traversal (CWE-22)
2026-06-19 https://github.com/qbee-io/transport GHSA-f9m7-vc86-p6jj
Share

Severity by source

vuln.today AI
8.7 HIGH

Network vector assumed as qbee-agent fetches archives remotely; AC:H because attacker must control the archive source; S:C for filesystem writes escaping the extraction sandbox.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:38 vuln.today
Analysis Generated
Jun 19, 2026 - 23:38 vuln.today

DescriptionCVE.org

Impact

The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archive can be used to write or overwrite files one directory level above the intended extraction path. In the case of qbee-agent, which runs with root privileges, this vulnerability permits a root-privileged file write outside the intended destination.

Patches

The issue has been addressed in version v1.26.25

AnalysisAI

Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or substitute tar archive delivered to qbee-agent
Delivery
Embed symlink entry targeting parent directory
Exploit
Agent's extractTar validates path lexically and approves
Execution
Symlink planted on disk during extraction
Persist
Subsequent archive entry routed through symlink writes outside extraction root
Impact
Root-owned file overwritten in parent directory

Vulnerability AssessmentAI

Exploitation Exploitation requires that an attacker can supply or substitute a crafted tar archive that is processed by the extractTar routine in go.qbee.io/transport. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by the reporter, so risk metrics must be inferred from the description and deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to control or substitute a tar archive processed by qbee-agent - for example by compromising the update distribution server or performing a supply chain injection - crafts an archive containing a symlink entry that points one level above the extraction directory, followed by a regular file entry routed through that symlink. When qbee-agent's extractTar routine processes the archive, its lexical path validator approves the paths, the symlink is created on disk, and the subsequent file write resolves outside the extraction root. …
Remediation Upgrade go.qbee.io/transport to version 1.26.25 or later, which resolves the lexical-only path validation flaw in extractTar. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy