CVSS Score: 8.1 Published: 2026-02-13 Full Report: https://cvereports.com/reports/CVE-2026-26187
A critical path traversal vulnerability in the lakeFS Local Block Adapter allows authenticated users to break out of their storage namespace boundaries. By exploiting a weak prefix validation check and a namespace logic error, attackers can read and write files in sibling repositories or unrelated directories on the host filesystem.
lakeFS failed to properly sanitize file paths in its Local Block Adapter. Due to a missing trailing slash in a prefix check and loose namespace validation, attackers can use ../ sequences to access files outside their repo. Fixed in v1.77.0.
- CVE ID: CVE-2026-26187
- CVSS Score: 8.1 (High)
- CWE: CWE-22 (Path Traversal)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Affected Versions: < 1.77.0
- Fix Version: 1.77.0
- lakeFS (Local Block Adapter)
- treeverse/lakeFS: < 1.77.0 (Fixed in:
1.77.0)
- Strict Prefix Validation with Separators
- Namespace-level Path Anchoring
- Input Sanitization via filepath.Clean
Remediation Steps:
- Upgrade lakeFS to version 1.77.0 or later immediately.
- Audit existing Local Block Adapter configurations for sibling directories that might have been exposed.
- If unable to upgrade, restrict access to the lakeFS API to trusted networks only.
Generated by CVEReports - Automated Vulnerability Intelligence