Unrated severityNVD Advisory· Published Jun 14, 2026

CVE-2026-11527

Description

Config::IniFiles before 3.001000 for Perl uses 2-arg open() allowing OS command injection or file overwrite via the -file argument.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Config::IniFiles before 3.001000 for Perl uses 2-arg open() allowing OS command injection or file overwrite via the -file argument.

Vulnerability

Config::IniFiles versions before 3.001000 for Perl contain a vulnerability in the _make_filehandle subroutine, which is invoked via the -file argument when creating a new Config::IniFiles object (-file => $thing). The subroutine uses Perl's two-argument open() call, so a filename that begins or ends with a pipe (| cmd, cmd |) or begins with a redirect (> path, >> path) is interpreted as a command or redirect instead of a plain file path [1]. This affects all callers that forward untrusted input to the -file argument; an in-memory scalar reference (-file => \$text) does not open a path and is unaffected [1].

Exploitation

An attacker needs to supply a specially crafted string to the -file argument of Config::IniFiles->new(). No authentication or network position beyond the ability to pass input to the constructor is required. For command injection, the payload could be of the form | command or command |; for file overwrite, the payload could be >path or >>path. The two-argument open() will execute the command or truncate/append the file under the process UID [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary OS command execution or arbitrary file overwrite (truncation or append) with the privileges of the Perl process. This can lead to complete compromise of the application's confidentiality, integrity, and availability depending on the command or file affected [1].

Mitigation

The vulnerability is fixed in Config::IniFiles version 3.001000 [1]. The fix changes the _make_filehandle subroutine to use a three-argument open() (open($fh, '<', $thing)), which treats the filename as a literal path and prevents shell interpretation of metacharacters [1]. Users should upgrade to version 3.001000 or later. No workaround is available for older versions; any caller that passes untrusted input to the -file argument should be updated to validate or sanitize filenames before upgrade [1].

References

https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8.patch

AI Insight generated on Jun 14, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Shlomif/Perl Config Inifilesreferences
Perl Config Inifiles/perl-Config-IniFilesllm-create
Range: <3.001000

Patches

3e48f9627fbb

CVE-2026-11527

https://github.com/shlomif/perl-config-inifilesShlomi FishJun 8, 2026via nvd-ref

commit

2 files changed · +69 −2

config-inifiles/lib/Config/IniFiles.pm+3 −2 modified

@@ -2967,9 +2967,10 @@ sub _make_filehandle
     my $fh = qualify_to_ref( $thing, caller(1) );
     return $fh if defined( fileno $fh );
 
-    # otherwise treat it as a file to open
+    # otherwise treat it as a file to open; 3-arg open so the filename is
+    # not interpreted as a command or redirect
     $fh = gensym;
-    open( $fh, $thing ) || return;
+    open( $fh, '<', $thing ) || return;
 
     return $fh;
 }    # end _make_filehandle

config-inifiles/t/38security-open.t+66 −0 added

@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+# Regression test for the 2-arg open() in _make_filehandle.
+#
+# _make_filehandle is the open path behind the -file argument (new -> ReadConfig
+# and WriteConfig both reach it). A 2-arg open() there interprets shell-magic
+# prefixes, so a "cmd |" filename runs a command and a "> file" filename
+# truncates a file. These must be treated as plain pathnames.
+
+use strict;
+use warnings;
+
+use Config::IniFiles;
+use File::Temp qw( tempdir );
+use File::Spec;
+use Test::More tests => 5;
+
+my $dir = tempdir( CLEANUP => 1 );
+
+# A trailing-pipe payload must not run a command.
+{
+    my $marker = File::Spec->catfile( $dir, "pwned_read" );
+    my $fh     = eval { Config::IniFiles->_make_filehandle("touch $marker |") };
+    close $fh if $fh;
+    ok !-e $marker, "trailing-pipe payload does not execute a command";
+}
+
+# A leading-pipe payload must not run a command.
+{
+    my $marker = File::Spec->catfile( $dir, "pwned_write" );
+    my $fh     = eval { Config::IniFiles->_make_filehandle("| touch $marker") };
+    close $fh if $fh;
+    ok !-e $marker, "leading-pipe payload does not execute a command";
+}
+
+# A redirect payload must not truncate a file.
+{
+    my $victim = File::Spec->catfile( $dir, "victim" );
+    open my $fh, ">", $victim or die "$victim: $!";
+    print $fh "important data\n";
+    close $fh;
+    my $made = eval { Config::IniFiles->_make_filehandle("> $victim") };
+    close $made if $made;
+    is -s $victim, 15, "redirect payload does not truncate a file";
+}
+
+# A plain filename still opens as a file.
+{
+    my $real = File::Spec->catfile( $dir, "real.txt" );
+    open my $fh, ">", $real or die "$real: $!";
+    print $fh "x\n";
+    close $fh;
+    my $opened = eval { Config::IniFiles->_make_filehandle($real) };
+    ok $opened, "plain filename still opens as a file";
+}
+
+# 2-arg open() silently trimmed surrounding whitespace (including a trailing
+# newline); 3-arg open treats the argument literally, so an un-chomped name no
+# longer opens the trimmed file.
+{
+    my $real = File::Spec->catfile( $dir, "plain.txt" );
+    open my $fh, ">", $real or die "$real: $!";
+    print $fh "x\n";
+    close $fh;
+    my $padded = eval { Config::IniFiles->_make_filehandle("$real\n") };
+    ok !$padded, "trailing whitespace is significant (filename not trimmed)";
+}

Vulnerability mechanics

Root cause

"Two-argument open() in _make_filehandle interprets shell metacharacters in the filename argument, allowing command injection and file overwrite."

Attack vector

An attacker who can control the value passed to the `-file` argument of `Config::IniFiles->new()` can inject shell metacharacters because `_make_filehandle` uses Perl's two-argument `open()`. A filename beginning with a pipe (`| cmd`) or ending with a pipe (`cmd |`) causes the argument to be executed as a shell command. A filename beginning with a redirect (`> path` or `>> path`) causes the file at that path to be truncated or appended to. No authentication is required; the attacker only needs to supply crafted input to the `-file` parameter.

Affected code

The vulnerability resides in `Config::IniFiles::_make_filehandle` in `lib/Config/IniFiles.pm`. This subroutine is the open path behind the documented `-file` argument, reached through `ReadConfig` and `WriteConfig`. The patch changes the two-argument `open()` call to a three-argument `open()` to prevent shell-metacharacter interpretation.

What the fix does

The patch changes the `open()` call in `_make_filehandle` from the two-argument form `open($fh, $thing)` to the three-argument form `open($fh, '<', $thing)`. In Perl, two-argument `open()` interprets special prefixes like `|` and `>` as shell operators, allowing command injection and file redirection. Three-argument `open()` treats the third argument strictly as a filename, eliminating the shell interpretation. The accompanying test file verifies that pipe and redirect payloads no longer execute commands or truncate files.

Preconditions

inputThe attacker must be able to supply a value for the -file argument to Config::IniFiles->new() or any other caller that reaches _make_filehandle.
authThe attacker does not need authentication; the vulnerability is triggered purely through crafted input.

Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000