Description
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
Published: 2026-06-08
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Routinator does not properly validate the module component of rsync URIs, allowing a knowledgeable attacker to include the substring '..' and traverse outside of the intended cache directory. This flaw (CWE‑22) can expose the entire Routinator rsync cache to read access.

Affected Systems

All NLnet Labs Routinator releases prior to version 0.15.2 are affected. The fix is present in version 0.15.2 and all subsequent releases.

Risk and Exploitability

The CVSS score of 8.3 denotes a high severity, indicating a significant potential for confidentiality loss if the cache is accessed. The vulnerability requires that an attacker be able to influence the module component of rsync URIs that the Routinator instance accepts. No public exploit or KEV listing is available, and EPSS information is not provided, so the likelihood of exploitation remains uncertain. Resolving the issue by updating to 0.15.2 removes the flaw, but until then, crafted rsync URLs containing '..' in the module name can be used to read arbitrary files within the cache directory.

Generated by OpenCVE AI on June 8, 2026 at 15:51 UTC.

Remediation

Vendor Solution

This issue is fixed in 0.15.2 and all later versions.

OpenCVE Recommended Actions

  • Upgrade to Routinator 0.15.2 or later.
  • Ensure that any rsync URIs configured for the Routinator instance come from trusted sources and do not contain '..' sequences; validate or cleanse the module name if possible.
  • Restrict file system permissions on the cache directory so that only the Routinator process can access it.

Generated by OpenCVE AI on June 8, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
Title Routinator cache path traversal using rogue rsync URIs
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-08T15:38:59.530Z

Reserved: 2026-05-28T08:28:56.664Z

Link: CVE-2026-49233

cve-icon Vulnrichment

Updated: 2026-06-08T15:38:56.002Z

cve-icon NVD

Status : Received

Published: 2026-06-08T15:16:47.693

Modified: 2026-06-08T15:16:47.693

Link: CVE-2026-49233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:00:16Z

Weaknesses