Critical severity9.8NVD Advisory· Published Mar 20, 2026· Updated Apr 16, 2026
CVE-2026-32771
CVE-2026-32771
Description
The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ctfer-io/monitoringGo | < 0.2.2 | 0.2.2 |
Affected products
1Patches
1269dba165aa4fix: missing check on archive path sanitization (#169)
1 file changed · +6 −5
pkg/extract/extract.go+6 −5 modified@@ -245,12 +245,13 @@ func untar(r io.Reader, dest string) error { return nil } -func sanitizeArchivePath(d, t string) (v string, err error) { - v = filepath.Join(d, t) - if strings.HasPrefix(v, filepath.Clean(d)) { - return v, nil +// Based upon https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title +func sanitizeArchivePath(destination, filePath string) (destpath string, err error) { + destpath = filepath.Join(destination, filePath) + if !strings.HasPrefix(destpath, filepath.Clean(destination)+string(os.PathSeparator)) { + return destpath, fmt.Errorf("filepath is tainted: %s", destination) } - return "", fmt.Errorf("filepath is tainted: %s", t) + return } func ptr[T any](t T) *T {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8anvdPatchWEB
- github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25nvdExploitVendor AdvisoryWEB
- security.snyk.io/research/zip-slip-vulnerabilitynvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-f7cq-gvh6-qr25ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32771ghsaADVISORY
News mentions
50- Cybercrime's Human Trafficking ProblemGovInfoSecurity · May 17, 2026
- Week in review: Cisco patches SD-WAN 0-day, unpatched Microsoft Exchange Server flaw exploitedHelp Net Security · May 17, 2026
- Russian hackers turn Kazuar backdoor into modular P2P botnetBleepingComputer · May 16, 2026
- Here’s how the FTC plans to enforce the Take It Down ActCyberScoop · May 15, 2026
- Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent AccessThe Hacker News · May 15, 2026
- In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App FlawsSecurityWeek · May 15, 2026
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion CapabilitiesInfosecurity Magazine · May 15, 2026
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid EvolutionBleepingComputer · May 15, 2026
- Living Off the Pipeline: Defending Against CI/CD SubversionSentinelOne Labs · May 15, 2026
- Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182)Help Net Security · May 15, 2026
- Thinking carefully before adopting agentic AINCSC UK · May 15, 2026
- The AI oversight paradox: Is the investment worth the cost of watching it?Help Net Security · May 15, 2026
- Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail SystemsDark Reading · May 15, 2026
- Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assetsTenable Blog · May 14, 2026
- White House cyber official: identity security matters more than ever in the age of AICyberScoop · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- 'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, UkraineDark Reading · May 14, 2026
- ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ StoriesThe Hacker News · May 14, 2026
- The Dark Side of Efficiency: When Network Controllers Become "God Mode" for AttackersRapid7 Blog · May 14, 2026
- Enhancing Data Center Security Without Sacrificing PerformanceSecurityWeek · May 14, 2026
- New Fragnesia Flaw Hands Linux Local Users Root AccessInfosecurity Magazine · May 14, 2026
- How AI Hallucinations Are Creating Real Security RisksThe Hacker News · May 14, 2026
- Cops arrest man suspected of being Dream Market kingpinThe Register Security · May 14, 2026
- Kimsuky targets organizations with PebbleDash-based toolsSecurelist · May 14, 2026
- Why Malwarebytes blocks some Yahoo Mail redirectsMalwarebytes Labs · May 14, 2026
- ICO Publishes Five-Step Plan to Counter Emerging AI-Powered AttacksInfosecurity Magazine · May 14, 2026
- FrostyNeighbor: Fresh mischief and digital shenanigansESET WeLiveSecurity · May 14, 2026
- New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache CorruptionThe Hacker News · May 14, 2026
- Vector embedding security gap exposes enterprise AI pipelinesHelp Net Security · May 14, 2026
- Over 70% of organizations hit by identity breachesHelp Net Security · May 14, 2026
- Machine identities outnumber humans 109 to 1Help Net Security · May 14, 2026
- Checkbox Assessments Aren't Fit to Measure RiskDark Reading · May 13, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- LatAm Vibe Hackers Generate Custom Hacking Tools on the FlyDark Reading · May 13, 2026
- Securing data centers in the agentic AI eraTenable Blog · May 13, 2026
- 716,000 Impacted by OpenLoop Health Data BreachSecurityWeek · May 13, 2026
- The hidden risk of non-human identities in AI adoptionHelp Net Security · May 13, 2026
- Researchers open-source a Wi-Fi cyber range for security trainingHelp Net Security · May 13, 2026
- Android pushes new scam, theft, and AI protections in 2026 update waveHelp Net Security · May 13, 2026
- It's Patch Tuesday for Microsoft & Not a Zero-Day In SightDark Reading · May 12, 2026
- UK fines water supplier $1.3M for exposing data of 664k customersBleepingComputer · May 12, 2026
- Webinar: Fixing the gaps in network incident responseBleepingComputer · May 12, 2026
- Škoda warns of customer data breach after online shop hackBleepingComputer · May 12, 2026
- Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 MalwareSecurityWeek · May 12, 2026
- How Rapid7 is bringing Cyber GRC closer to security operationsRapid7 Blog · May 12, 2026
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainDark Reading · May 12, 2026
- Copy.Fail Linux VulnerabilitySchneier on Security · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- Instructure reaches 'agreement' with ShinyHunters to stop data leakBleepingComputer · May 12, 2026
- South Staffordshire Water Fined £1m After Data BreachInfosecurity Magazine · May 12, 2026