CVE-2026-29049 - Vulnerability Details

- melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

Description

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.

Published: 2026-03-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Melange, a tool for building APK packages through declarative pipelines, contains an unbounded HTTP download flaw in its update-cache command. The code copies remote content without imposing a download size limit or HTTP client timeout, enabling an attacker who controls a URI referenced in a melange configuration to write unlimited data to disk. The resulting disk exhaustion can cause the CI build runner to run out of space and fail, effectively degrading availability.

Affected Systems

The affected product is Chainguard's melange, versions 0.40.5 and earlier. This flaw was identified in the pkg/renovate/cache/cache.go file. The vulnerability applies to any environment where melange update-cache is executed with a build configuration that includes attacker-supplied download URLs.

Risk and Exploitability

The CVSS score is 4.3, and EPSS is undersampled (< 1 %), indicating a moderate severity with a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog, suggesting it is not currently an actively exploited vulnerability. Exploitation requires control over the melange configuration used in a CI pipeline; therefore the attack vector is likely remote delivery through compromised or malicious build definitions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

chainguard-dev

melange

affected

Version	Status	Constraints
`<= 0.40.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Chainguard-dev

Melange

100%

Version	Status	Scheme	Platform
`[0,0.40.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement strict validation of download URLs in melange configurations, allowing only trusted domains or IPs.
Configure CI environments to enforce disk quotas or monitor available disk space, triggering alerts before exhaustion occurs.
Apply size limits or timeouts to HTTP clients used by melange, or use a reverse proxy that enforces download size constraints.
When a vendor patch becomes available, upgrade melange or manually modify cache.go to add a size cap and timeout.

Generated by OpenCVE AI on April 16, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7rp8-r62p-q6wc	`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc

History

Tue, 10 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chainguard Chainguard melange
CPEs		cpe:2.3:a:chainguard:melange::::::go::*
Vendors & Products		Chainguard Chainguard melange

Mon, 09 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chainguard-dev Chainguard-dev melange
Vendors & Products		Chainguard-dev Chainguard-dev melange

Fri, 06 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runne. There is no known patch publicly available.
Title		melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
Weaknesses		CWE-400 CWE-918
References		https://github.com/chainguard-dev/melange/security/advisories/GHSA-7rp8-r62p-q6wc
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

Subscriptions

Chainguard Melange

Chainguard-dev Melange

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T07:03:10.361Z

Updated: 2026-03-09T20:00:19.899Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29049

Vulnrichment

Updated: 2026-03-09T20:00:14.380Z

NVD

Status : Analyzed

Published: 2026-03-06T07:16:02.093

Modified: 2026-03-10T19:28:57.330

Link: CVE-2026-29049

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object