Skip to main content

Gleam EUVDEUVD-2026-21680

| CVE-2026-32146 HIGH
Path Traversal (CWE-22)
2026-04-11 EEF
8.3
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative
Red Hat
8.6 HIGH
qualitative

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 14, 2026 - 10:22 NVD
MEDIUM HIGH
CVSS changed
Apr 14, 2026 - 10:22 NVD
6.2 (MEDIUM) 8.3 (HIGH)
Analysis Generated
Apr 11, 2026 - 15:42 vuln.today
EUVD ID Assigned
Apr 11, 2026 - 13:30 euvd
EUVD-2026-21680
Analysis Generated
Apr 11, 2026 - 13:30 vuln.today
Patch released
Apr 11, 2026 - 13:30 nvd
Patch available
CVE Published
Apr 11, 2026 - 12:59 nvd
HIGH 8.3

DescriptionCVE.org

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download.

Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.

This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.

This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1.

AnalysisAI

Path traversal in Gleam compiler versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1 allows arbitrary file system modification when resolving git dependencies, enabling attackers to delete and overwrite directories outside the intended dependency folder via malicious dependency names containing relative or absolute paths. A user must invoke dependency download (e.g., gleam deps download) for exploitation; attackers can leverage this to cause data loss or achieve code execution by overwriting git hooks or shell configuration files. Vendor-released patches are available.

Technical ContextAI

The Gleam compiler incorporates dependency names from gleam.toml and manifest.toml directly into filesystem paths during git dependency resolution without proper validation or path canonicalization. The root cause is a CWE-22 path traversal vulnerability: dependency names containing sequences like '../' or absolute paths are not sanitized before being used in filesystem operations (directory creation, deletion, file write). The affected code path is triggered during the dependency download phase, which normally operates within a confined directory structure. When a malicious dependency (either directly declared or transitive) includes path traversal sequences in its name, the computed paths escape the intended dependency directory and can target arbitrary locations on the filesystem accessible to the process running the compiler.

RemediationAI

Upgrade Gleam to a patched version immediately; consult the vendor advisory at https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j for exact fixed release numbers (patches are available via GitHub commits 1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf and 55bb36e6d7febfbbc48c4d001e0ae13eb0312d78). As a workaround pending patching, avoid adding untrusted or unfamiliar git dependencies to gleam.toml, and audit existing dependencies for any with suspicious names containing path-like sequences. Restrict execution of gleam deps download to trusted development environments and use dependency lock files (manifest.toml) to prevent unexpected transitive dependency updates.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-21680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy