CVE-2026-49233
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
Routinator does not properly check the module component of rsync URIs, allowing for path traversal. An attacker can exploit a module name containing '..', potentially gaining access to the entire Routinator rsync cache.
Risk Assessment
The ability to access sensitive data in the cache may lead to information disclosure and compromise of system security.
Recommendation
It is recommended to update Routinator to the latest version that fixes the rsync URI checking and to implement additional security measures against path traversal attacks.
Original NVD description (English source)
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

