Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87wluwgtvd.fsf@v45346.1blu.de>
Date: Wed, 15 Jul 2026 17:22:46 +0200
From: Stefan Bodewig <bodewig@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-26032: Apache Ivy: PackagerResolver path traversal vulnerability 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: moderate 

Affected versions:

- - Apache Ivy (org.apache.ivy:ivy) 2.0.0 through 2.5.3

Description:

The PackagerResolver of Apache Ivy is able to download online
artifacts and to (re)package them in a format defined by a
packager.xml file. This repackaging is done by an Ant script, which is
stored in a subdirectory of the configured "buildRoot" directory. This
subdirectory is calculated based on modules coordinates, like the
organisation, name or version.

If one of the coordinates contains "../" sequences - which are valid
characters for Ivy coordinates in general- it is possible to break out
of the configured "buildRoot" directory where other files can be
overwritten.

In order to exploit this vulnerability an attacker needs to have
access to a packager repository and add or modify the coordinates in
ivy.xml files to have such "../" sequences.

Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.

Credit:

yudeshui of dhgate security (reporter)

References:

https://ant.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-26032

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmpXpcYACgkQohFa4V9ri3L7uACgr9dNo4ef+5Ly4dbgxV3j+x8u
mBMAoLtTpA8DoE84PcOucocRbJt0M/Jf
=tAVg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.