Donate Telegram

CVE-2026-29064

HIGH CVSS 3.1: 8.2

Mar 06, 2026

Updated Mar 06, 2026

Kubernetes

Parameter	Value
CVSS	8.2 (HIGH)
Affected Versions	before 0.73.1
Fixed In	0.73.1
Type	CWE-22 (Path Traversal (Обход пути))
Vendor	Kubernetes
Public PoC	No

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.

Attack Parameters

Attack Vector

Local

Нужен локальный доступ

Attack Complexity

Low

Легко эксплуатировать

Privileges Required

None

Права не нужны

User Interaction

Required

Нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

High

Полная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal (Обход пути)

References 2

https://github.com/zarf-dev/zarf/releases/tag/v0.73.1

security-advisories@github.com

https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25750

Kubernetes

CVE-2026-24005

Kubernetes

CVE-2026-27112

Kubernetes

CVE-2026-27111

Kubernetes

CVE-2026-26056

Kubernetes

CVE Details

CVE ID

CVE-2026-29064

Published Date

Mar 06, 2026

Vendor

Kubernetes

Severity

HIGH

CVSS v3.1 Score

8.2

High severity. Prioritize patching.

Attack Analysis

Exploitability 1.8/10

How easy to exploit

Impact 5.8/10

Severity of consequences

Impact

Full data disclosure

Complete data modification

Source

Editor's Choice