CVE Catalog

CVE-2026-49233

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

15th percentile - higher than 15% of all known CVEs

Summary

Routinator does not properly check the module component of rsync URIs, allowing for path traversal. An attacker can exploit a module name containing '..', potentially gaining access to the entire Routinator rsync cache.

Risk Assessment

The ability to access sensitive data in the cache may lead to information disclosure and compromise of system security.

Recommendation

It is recommended to update Routinator to the latest version that fixes the rsync URI checking and to implement additional security measures against path traversal attacks.

Original NVD description (English source)

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS