Skip to main content

Canonical MicroCeph EUVDEUVD-2026-37990

| CVE-2026-10720 MEDIUM
Relative Path Traversal (CWE-23)
2026-06-19 canonical GHSA-xg3j-c7q4-f9ph
5.1
CVSS 4.0 · Vendor: canonical
Share

Severity by source

Vendor (canonical) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

PR:H because exploitation requires a trusted mTLS cert or join token; S:C and I:H/A:H because cluster-wide state and daemons beyond the local node are impacted.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H

Primary rating from Vendor (canonical).

CVSS VectorVendor: canonical

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 08:46 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 06:39 vuln.today
Analysis Generated
Jun 19, 2026 - 06:39 vuln.today

DescriptionCVE.org

Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state.

AnalysisAI

Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the /var/snap/microceph snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on name and LocalName parameters in cmdRemotePut, permitting .. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain mTLS certificate or join token
Delivery
Craft traversal payload in remote name or localName field
Exploit
Send malformed PUT request to remote-import API
Execution
API constructs unvalidated filesystem path within /var/snap/microceph
Persist
Overwrite or corrupt cluster state files
Impact
Trigger daemon crash or cluster state pollution

Vulnerability AssessmentAI

Exploitation Exploitation requires possession of either a trusted cluster mTLS certificate (as held by enrolled MicroCeph cluster members) or a valid cluster join token - these are the only two credential types the description identifies as granting the necessary trust level. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 (Medium) is driven primarily by PR:H - exploitation requires possession of a trusted cluster mTLS certificate held by an enrolled cluster member, or a valid join token. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised cluster member possessing a valid mTLS certificate sends a crafted PUT request to the remote-import API with a `name` or `LocalName` parameter containing a path traversal sequence such as `../state`. The unpatched API constructs a filesystem path from the unsanitized input, writing or overwriting files in unintended directories within `/var/snap/microceph`, which corrupts cluster configuration state and causes one or more MicroCeph daemons to crash or behave erroneously. …
Remediation Upstream fix available via GitHub PR #758 (https://github.com/canonical/microceph/pull/758); a released patched snap version is not independently confirmed - monitor the Canonical MicroCeph snap store channel for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy