CVE-2020-26405
Description
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal in GitLab's NuGet metadata update lets an attacker write package files to arbitrary locations on the server.
Vulnerability
A path traversal vulnerability exists in the NuGet package upload functionality of GitLab Community Edition (CE) and Enterprise Edition (EE) from version 12.8 through 13.3.8, 13.4.0 through 13.4.4, and 13.5.0 through 13.5.1. When a NuGet package is uploaded via the API, the `UpdatePackageFromMetadataService extracts the package id and version from the embedded nuspec file to rename and move the uploaded .nupkg file. Neither the id nor the version` is sanitized for path traversal sequences, allowing the attacker to control where the file is saved on the filesystem [1].
Exploitation
An attacker with the ability to upload a NuGet package to a GitLab project can craft a malicious nuspec file containing path traversal sequences in the ` and fields. For example, setting ../../../../../../../../../../../../../ and ./var/opt/gitlab/.ssh/aaa causes the uploaded .nupkg file to be moved to /var/opt/gitlab/.ssh/. The file always retains the .nupkg extension, but the attacker can create arbitrary parent directories and write files under the git` user's privileges. The package must be a valid zip archive, though arbitrary data can be appended to the start of the file [1].
Impact
A successful attack allows the attacker to write a file (with a .nupkg extension) to any location the git user can write to on the GitLab server. This can potentially lead to overwriting SSH authorized keys, configuration files, or other sensitive data, depending on the file permissions and the capabilities of the git user. The exact scope of compromise depends on the server configuration, but arbitrary file write is a critical impact [1].
Mitigation
GitLab released fixed versions 13.3.9, 13.4.5, and 13.5.2 on 2020-11-17. Users should upgrade to one of these or a later version. No workaround is available for earlier versions, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.8, <13.3.9, >=13.4, <13.4.5, >=13.5, <13.5.2
- Range: >=12.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on package name and version extracted from NuGet nuspec metadata allows directory traversal in the file path used to store the uploaded package."
Attack vector
An attacker crafts a malicious nuspec file containing path traversal sequences (e.g., `../../../../`) in the `
Affected code
The vulnerability is in the `UpdatePackageFromMetadataService` which runs after a NuGet package is uploaded via the API. The `package_filename` method constructs a file path by concatenating `package_name` and `package_version` from the nuspec metadata without any validation, and the resulting path is used in `package_file.update!` to move the uploaded `.nupkg` file [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the expected correct behavior is that the `package_filename` should be validated to reject path traversal sequences [ref_id=1]. The fix would involve sanitizing the `package_name` and `package_version` values extracted from the nuspec metadata before using them to construct the file path, preventing directory traversal outside the intended package storage directory.
Preconditions
- authAttacker must have a valid GitLab account and API token for a project
- configTarget GitLab instance must be version >=12.8 and <13.3.9, >=13.4 and <13.4.5, or >=13.5 and <13.5.2
- networkAttacker must be able to upload a NuGet package via the API endpoint /api/v4/projects/:id/packages/nuget/
Reproduction
1. Create a project on the GitLab instance. 2. Create a `spec.nuspec` file with path traversal payloads in the `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/247371mitrex_refsource_MISC
- hackerone.com/reports/835427mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.