Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Mar 2, 2026

Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix

CVE-2026-28208

Description

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A backslash path traversal in junrar's LocalFolderExtractor allows arbitrary file write on Linux/Unix, potentially leading to RCE.

Vulnerability

CVE-2026-28208 is a path traversal vulnerability in the LocalFolderExtractor component of junrar, an open-source Java library for extracting RAR archives. The root cause is a discrepancy between how the library validates file paths and how it later constructs the output file path. On Linux/Unix systems, backslashes (\) are treated as literal characters in filenames, not path separators. The validation step uses getCanonicalPath().startsWith() to check that correctly resolves .. components on Windows but on Linux treats a backslash-containing filename as a single literal name, passing the check. However, the subsequent makeFile() method splits the filename on backslashes and reconstructs the path using the platform's file separator, effectively converting literal backslashes into directory traversal sequences (e.g., ..\..\tmp\evil.txt becomes ../../tmp/evil.txt). This allows an attacker to write files outside the intended extraction directory [1][2].

Exploitation

Exploitation requires an attacker to craft a RAR archive containing a file entry with a name that includes backslash-based path traversal sequences (e.g., ..\..\tmp\evil.txt). The victim must extract this archive using junrar on a Linux/Unix system. No authentication is needed beyond the ability to supply the archive to the extraction process. The attack surface includes any application that uses junrar to extract user-supplied RAR files, such as file upload services, email attachments, or backup tools [1].

Impact

Successful exploitation results in arbitrary file write with attacker-controlled content anywhere on the filesystem. This can lead to remote code execution (RCE) by overwriting critical files such as shell profiles (e.g., .bashrc, .profile), source code, cron jobs, or system binaries. The impact is limited to Linux/Unix systems; Windows is not affected because backslashes are native path separators and the validation step correctly blocks traversal [1][2].

Mitigation

The vulnerability is fixed in junrar version 7.5.8. The fix modifies the createFile() method to normalize backslashes to forward slashes before validation, and changes the makeFile() method to split on forward slashes only, preventing the backslash-to-separator conversion [4]. Users should upgrade to version 7.5.8 or later. No workaround is available for earlier versions [1][2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.github.junrar:junrarMaven	< 7.5.8	7.5.8

Affected products

Junrar Project/Junrarllm-fuzzy
Range: <7.5.8
junrar/junrarv5
Range: < 7.5.8

Patches

947ff1d33f00

fix: better handle files outside directory when extracting

https://github.com/junrar/junrarGauthier RoebroeckFeb 26, 2026via ghsa

commit

3 files changed · +36 −3

src/main/java/com/github/junrar/LocalFolderExtractor.java+5 −3 modified

@@ -55,7 +55,7 @@ File extract(
     }
 
     private File createFile(final FileHeader fh, final File destination) throws IOException {
-        String name = fh.getFileName();
+        String name = invariantSeparatorsPathString(fh.getFileName());
         File f = new File(destination, name);
         String dirCanonPath = f.getCanonicalPath();
         if (!dirCanonPath.startsWith(destination.getCanonicalPath())) {
@@ -73,7 +73,7 @@ private File createFile(final FileHeader fh, final File destination) throws IOEx
     }
 
     private File makeFile(final File destination, final String name) throws IOException {
-        final String[] dirs = name.split("\\\\");
+        final String[] dirs = name.split("/");
         String path = "";
         final int size = dirs.length;
         if (size == 1) {
@@ -93,5 +93,7 @@ private File makeFile(final File destination, final String name) throws IOExcept
         }
     }
 
-
+    static String invariantSeparatorsPathString(String path) {
+        return path.replace("\\", "/");
+    }
 }

src/test/java/com/github/junrar/LocalFolderExtractorTest.java+31 −0 modified

@@ -1,6 +1,9 @@
 package com.github.junrar;
 
 import com.github.junrar.rarfile.FileHeader;
+import org.apache.commons.io.FileUtils;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
 import java.io.File;
@@ -12,6 +15,17 @@
 import static org.mockito.Mockito.when;
 
 public class LocalFolderExtractorTest {
+    private static File tempFolder;
+
+    @BeforeAll
+    public static void setupFunctionalTests() throws IOException {
+        tempFolder = TestCommons.createTempDir();
+    }
+
+    @AfterAll
+    public static void tearDownFunctionalTests() throws IOException {
+        FileUtils.deleteDirectory(tempFolder);
+    }
 
     @Test
     public void rarWithDirectoriesOutsideTarget_ShouldThrowException() throws IOException {
@@ -55,4 +69,21 @@ public void rarWithFileOutsideTarget_ShouldThrowException() throws IOException {
             .containsIgnoringCase(expectedInvalidPath.toString());
     }
 
+    @Test
+    public void rarWithFileOutsideTarget_ShouldThrowException2() throws Exception {
+        File file = TestCommons.writeResourceToFolder(tempFolder, "parent-dir.rar");
+        LocalFolderExtractor localFolderExtractor = new LocalFolderExtractor(tempFolder);
+
+        try (Archive archive = new Archive(file)) {
+            FileHeader fileHeader = archive.nextFileHeader();
+
+            File expectedInvalidPath = new File(tempFolder.getParentFile().getParentFile(), "tmp");
+            Throwable thrown = catchThrowable(() -> localFolderExtractor.extract(archive, fileHeader));
+
+            assertThat(thrown).isInstanceOf(IllegalStateException.class);
+            assertThat(thrown.getMessage())
+                .containsIgnoringCase("Rar contains file with invalid path")
+                .containsIgnoringCase(expectedInvalidPath.toString());
+        }
+    }
 }

src/test/resources/com/github/junrar/parent-dir.rar+0 −0 added

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j273-m5qq-6825ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-28208ghsaADVISORY
github.com/junrar/junrar/commit/947ff1d33f00f940aa68ae2593500291d799d954ghsax_refsource_MISCWEB
github.com/junrar/junrar/releases/tag/v7.5.8ghsax_refsource_MISCWEB
github.com/junrar/junrar/security/advisories/GHSA-j273-m5qq-6825ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000