Path Traversal Vulnerability in Karapace by Aiven
CVE-2026-29190

4.1MEDIUM

Key Information:

Vendor: Aiven-open
Status: Karapace
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-29190?

Karapace, an open-source implementation of Kafka REST and Schema Registry, is susceptible to a Path Traversal vulnerability in its backup reader module. This issue arises when untrusted backup files are processed, allowing attackers to exploit insufficient path validation and gain unauthorized access to arbitrary files on the system running Karapace. Deployments using the backup and restore functionality are particularly at risk, and the extent of the impact is dictated by the file system permissions assigned to the Karapace process. The vulnerability has been effectively addressed in version 6.0.0.

Affected Version(s)

karapace < 6.0.0

References

https://github.com/Aiven-Open/karapace/security/advisorie...

x_refsource_CONFIRM

https://github.com/Aiven-Open/karapace/releases/tag/6.0.0

x_refsource_MISC

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29190 Data

JSON

Aiven-open

What is CVE-2026-29190?

Affected Version(s)

References

CVSS V3.1

Timeline