Skip to main content

Microceph

1 CVEs product

Monthly

CVE-2026-10720 Go MEDIUM PATCH This Month

Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the `/var/snap/microceph` snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on `name` and `LocalName` parameters in `cmdRemotePut`, permitting `..` sequences to reach unintended directories. No public exploit has been identified at time of analysis; an upstream fix exists as GitHub PR #758 with no confirmed tagged snap release.

Path Traversal Canonical Microceph
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the `/var/snap/microceph` snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on `name` and `LocalName` parameters in `cmdRemotePut`, permitting `..` sequences to reach unintended directories. No public exploit has been identified at time of analysis; an upstream fix exists as GitHub PR #758 with no confirmed tagged snap release.

Path Traversal Canonical Microceph
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy