Description
Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation to perform arbitrary file read on the system where Karapace is running. The issue affects deployments that use the backup/restore functionality and process backups from untrusted sources. The impact depends on the file system permissions of the Karapace process. This issue has been patched in version 6.0.0.
Published: 2026-03-07
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

Aven-Open Karapace is an open‑source implementation of Kafka REST and Schema Registry. In versions prior to 6.0.0, the backup reader component contains a path traversal flaw that allows a malicious backup file to be processed with insufficient path validation, enabling arbitrary files on the host where Karapace runs to be read. Depending on the file system permissions granted to the Karapace process, an attacker could access configuration files, secrets, or other sensitive data, resulting in information disclosure.

Affected Systems

The vulnerability affects all deployments of Aiven‑Open Karapace versions before 6.0.0 that use the backup/restore feature and are exposed to untrusted backup files. It is present in the file karapace/backup/backends/v3/backend.py. Users should verify the running version and plan an upgrade.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to supply a crafted backup file to Karapace; if the backup endpoint is reachable over a network, the attack could be performed remotely. Karapace version 6.0.0 contains a fix that removes the path validation flaw.

Generated by OpenCVE AI on April 16, 2026 at 10:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Karapace to version 6.0.0 or later.
  • If an upgrade cannot be performed immediately, restrict access to the backup/restore endpoint to trusted administrators and enforce network segmentation to prevent external actors from uploading backups.
  • Implement server‑side validation of backup filenames, ensuring all paths are confined to the designated backup directory and rejecting any containing '..' or absolute references.

Generated by OpenCVE AI on April 16, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:aiven:karapace:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiven
Aiven karapace
Vendors & Products Aiven
Aiven karapace

Sat, 07 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation to perform arbitrary file read on the system where Karapace is running. The issue affects deployments that use the backup/restore functionality and process backups from untrusted sources. The impact depends on the file system permissions of the Karapace process. This issue has been patched in version 6.0.0.
Title Karapace: Path Traversal in Backup Reader
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Aiven Karapace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:27:12.083Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29190

cve-icon Vulnrichment

Updated: 2026-03-09T17:38:58.746Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:54.350

Modified: 2026-03-11T16:48:43.587

Link: CVE-2026-29190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses