Description
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.

The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.

An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.

This issue affects Gleam from 1.16.0 until 1.17.0.
Published: 2026-06-02
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gleam’s documentation generator allows path traversal through the documentation.pages entries defined in gleam.toml, which are incorporated into filesystem paths without sufficient validation or confinement. The documentation.pages[].path field can be crafted to place generated documentation files outside the intended build output directory, and the documentation.pages[].source field can reference arbitrary files for inclusion. This weakness enables a local attacker who can influence the project or gleam.toml content to read files that belong to the user’s system, or to overwrite files outside the project directory, thereby violating confidentiality, integrity, and potentially availability of the affected system.

Affected Systems

The vulnerability affects the Gleam compiler and tooling for releases from version 1.16.0 through 1.17.0.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. However, the attack vector is inferred to be local: an attacker must convince a victim to run gleam docs build on a project or gleam.toml file that they control or within a trusted environment. Once the build process executes, the path traversal can be used to read or write arbitrary files on the local filesystem. The lack of mitigation built into the tool itself means the risk depends heavily on the operational controls in place.

Generated by OpenCVE AI on June 2, 2026 at 15:36 UTC.

Remediation

Vendor Workaround

* Avoid running gleam docs build on untrusted projects * Review documentation.pages entries in gleam.toml before generating documentation * Run documentation generation in a restricted or isolated environment (e.g. containers)

OpenCVE Recommended Actions

  • Do not run gleam docs build on untrusted projects or with untrusted gleam.toml content.
  • Review and validate documentation.pages entries in gleam.toml before triggering the documentation build process.
  • Execute the documentation generation step in a restricted or isolated environment such as a container or virtual machine to limit filesystem access.

Generated by OpenCVE AI on June 2, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Gleam
Gleam gleam
Vendors & Products Gleam
Gleam gleam

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output. An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory. This issue affects Gleam from 1.16.0 until 1.17.0.
Title Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write
First Time appeared Gleam-lang
Gleam-lang gleam
Weaknesses CWE-22
CPEs cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*
Vendors & Products Gleam-lang
Gleam-lang gleam
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gleam Gleam
Gleam-lang Gleam
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:20.700Z

Reserved: 2026-03-13T09:12:14.474Z

Link: CVE-2026-32685

cve-icon Vulnrichment

Updated: 2026-06-02T15:05:46.263Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:50.610

Modified: 2026-06-02T16:16:36.277

Link: CVE-2026-32685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')