Description
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.
Published: 2026-06-25
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

K3s’s etcd snapshot decompression can extract ZIP archive members with malicious names and write them to arbitrary filesystem locations. This allows an attacker who can trigger a restore operation to create or overwrite any file on the host, potentially compromising the Kubernetes cluster. The weakness is a classic directory traversal flaw (CWE-22).

Affected Systems

The vulnerability affects K3s releases older than 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. Administrators using these versions and performing etcd snapshot restores are impacted.

Risk and Exploitability

The CVSS score of 5.8 reflects a moderate severity. No EPSS data is available, so the likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector requires the attacker to trigger a restore of a maliciously crafted ZIP file; thus the attacker must have administrative access to the K3s control plane or the ability to supply snapshot archives.

Generated by OpenCVE AI on June 25, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the K3s version; if it is older than 1.35.3+k3s1, 1.34.6+k3s1, or v1.33.10+k3s1, upgrade immediately to the supported release. The upgrade patch removes the unsafe snapshot decompression routine and validates archive paths before extraction. This is the definitive fix.
  • Ensure that only trusted and authenticated users can initiate etcd snapshot restores; restrict the restore API to administrators and enforce strict role‑based access control. This limits the opportunity for an attacker to supply malicious archives.
  • Require that uploaded snapshot archives are signed or have an associated checksum, and verify this integrity before extraction to ensure only legitimate snapshots are restored.

Generated by OpenCVE AI on June 25, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared K3s
K3s k3s
Vendors & Products K3s
K3s k3s

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.
Title K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

K3s K3s
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T17:56:56.747Z

Reserved: 2026-06-12T16:25:43.085Z

Link: CVE-2026-54250

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:15:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')