Directory Traversal Vulnerability in Apache Ivy Affects Major Versions
CVE-2026-26032

5.4MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
15 July 2026

What is CVE-2026-26032?

The PackagerResolver of Apache Ivy allows an attacker to exploit a directory traversal issue. By manipulating Ivy coordinates containing '../' sequences in ivy.xml files, an attacker with access to a packager repository can break out of the specified 'buildRoot' directory and potentially overwrite other files. This vulnerability affects Apache Ivy versions 2.0.0 through 2.5.3, and users should upgrade to version 2.6.0 to mitigate the risk.

Affected Version(s)

Apache Ivy 2.0.0 <= 2.5.3

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

yudeshui of dhgate security
.