Description
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
Published: 2026-06-02
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Collibra Agent's restore handler contains a path traversal flaw that fails to properly validate and canonicalize file paths during ZIP extraction. An attacker can craft a ZIP archive containing paths that traverse outside the intended extraction directory, causing the Agent to write arbitrary files to the file system. This allows the attacker to place or overwrite files such as scripts or configuration files, potentially enabling remote code execution or data tampering.

Affected Systems

The vulnerability is present in both the Collibra Platform SaaS and the on‑premises deployment of the Collibra Platform via the Collibra Agent. No specific version numbers were provided, so all installations of the Agent that implement the restore handler are considered impacted.

Risk and Exploitability

No CVSS or EPSS scores are available, and the vulnerability is not listed in the CISA KEV catalogue. The lack of public exploitation data suggests a low to moderate likelihood of immediate attacks, but the flaw's nature—arbitrary file creation—makes it a high‑impact risk if an attacker can supply a malicious ZIP file. Mitigation should be prioritized for systems that expose the Agent or accept ZIP archives from external sources.

Generated by OpenCVE AI on June 2, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied security patch or update for Collibra Agent as soon as it is released.
  • Restrict the privileges of the Collibra Agent process by running it under a dedicated low‑privilege account and limiting its filesystem permissions to the intended extraction directory.
  • Validate and sanitize any ZIP archives before they are handed to the restore handler, ensuring that extracted paths do not escape the target directory.

Generated by OpenCVE AI on June 2, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-22

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
Title CVE-2026-10621
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-02T14:03:35.360Z

Reserved: 2026-06-02T13:58:49.342Z

Link: CVE-2026-10621

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:16:45.003

Modified: 2026-06-02T14:46:17.280

Link: CVE-2026-10621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses