Description
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download.

Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.

This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.

This issue affects Gleam from 1.9.0-rc1 until 1.15.4.
Published: 2026-04-11
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File System Modification
Action: Apply Patch
AI Analysis

Impact

Improper path validation in Gleam’s compiler allows an attacker to craft git dependency names that include relative or absolute traversal characters. During the dependency download step, the compiler creates, deletes, or overwrites directories based on these names, enabling the modification of arbitrary files outside the intended dependency directory. This can result in data loss and, in some cases, provide a foothold for execution by overwriting sensitive configuration or hook files. The weakness is a classic directory traversal flaw (CWE‑22).

Affected Systems

The vulnerability impacts versions of Gleam from 1.9.0‑rc1 through 1.15.4. Users of the compiler within this range who fetch dependencies from git repositories—whether directly or via transitive dependencies—are at risk. No specific operating system or environment is singled out; the flaw resides entirely in the Gleam build tool.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and the very low EPSS score (<1%) suggests modest current exploitation rates. The flaw is not listed in the CISA KEV catalog, reflecting limited public exploitation data. Attackers would likely need to establish malicious git dependencies in a Gleam project's configuration or supply a subjectively controlled repository, implying that privileged build environments or scripts that automatically resolve dependencies present the primary attack surface.

Generated by OpenCVE AI on April 14, 2026 at 11:20 UTC.

Remediation

Vendor Solution

Upgrade to Gleam 1.15.4 or later. Both patches must be applied: the original incomplete fix (1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf, backported as 55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 to 1.15) and the follow-up fix (2dc0467f822c75de94697a912755d172928ee40a, backported as 92aae3913570e8d8962f6399404777d313045bfa to 1.15). Gleam 1.15.4 includes both.

Vendor Workaround

* Avoid using untrusted git dependencies, especially without pinning to a specific commit SHA * Review dependency trees carefully, including transitive git dependencies * Run dependency resolution commands in a restricted or isolated environment (e.g. containers)

OpenCVE Recommended Actions

  • Upgrade to Gleam 1.15.4 or later. The new release consolidates both the original and follow‑up patches, correcting the path validation issue.
  • If an upgrade is not immediately possible, apply the backported patches found in the commit history: the original fix (1aa5d8e5… backported as 55bb36e6…) and the follow‑up fix (2dc0467f… backported as 92aae3b1…).
  • Pin all git dependencies to an explicit commit SHA so that the dependency name cannot be manipulated by a remote repository.
  • Audit the dependency tree to locate transitive git dependencies and verify their integrity before resolution.
  • Execute dependency downloads in a restricted or isolated environment—such as containers or sandboxed build servers—to limit potential filesystem reach.
  • Avoid incorporating untrusted git dependencies in production builds; prefer vetted, version‑pinned sources whenever possible.

Generated by OpenCVE AI on April 14, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Gleam-lang
Gleam-lang gleam
CPEs cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*
Vendors & Products Gleam-lang
Gleam-lang gleam

Tue, 14 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1. Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.4.
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H'}

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Gleam
Gleam gleam
Vendors & Products Gleam
Gleam gleam

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Sat, 11 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1.
Title Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Gleam Gleam
Gleam-lang Gleam
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-22T16:03:21.163Z

Reserved: 2026-03-10T22:37:29.213Z

Link: CVE-2026-32146

cve-icon Vulnrichment

Updated: 2026-04-13T17:44:45.486Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-11T14:16:03.640

Modified: 2026-04-14T10:16:30.200

Link: CVE-2026-32146

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-11T12:59:22Z

Links: CVE-2026-32146 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:13Z

Weaknesses