Moderate severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
CVE-2026-29049
Description
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chainguard.dev/melangeGo | <= 0.40.5 | — |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/melangepkg:apk/wolfi/melangepkg:golang/chainguard.dev/melangepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: <= 0.40.5
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: <= 0.40.5
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7rp8-r62p-q6wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29049ghsaADVISORY
- github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.