Routinator cache path traversal using rogue rsync URIs_CVE-2026-49233

8.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

Basic Information

ID CVE-2026-49233

Source NLnet Labs

Published Jun 8, 2026 at 12:58

Modified Jun 8, 2026 at 15:38

Affected Product

Vendor NLnet Labs

Product Routinator

Version 0.15.2

CWE Classification

CWE-22

References

www.nlnetlabs.nl /downloads/routinator/CVE-2026-49233.txt

{
    "lastseen": "",
    "description": "Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.",
    "published": "2026-06-08T12:58:49.824Z",
    "modified": "2026-06-08T15:38:59.530Z",
    "type": "cve",
    "title": "Routinator cache path traversal using rogue rsync URIs",
    "source": "NLnet Labs",
    "references": "https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt",
    "id": "CVE-2026-49233",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Routinator",
    "version": "0.15.2",
    "vendor": "NLnet Labs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}