Improper Path Validation in Gleam Compiler Affects File System Security
CVE-2026-32146

6.2MEDIUM

Key Information:

Vendor: Gleam
Status: Gleam
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-32146?

An improper path validation vulnerability in the Gleam compiler allows an attacker to manipulate filesystem paths during the handling of git dependencies. This occurs when dependency names are integrated into filesystem paths without adequate validation, enabling potential exploitation through relative and absolute path traversal techniques. By leveraging malicious dependencies, an attacker may modify or delete directories beyond the intended scope, leading to data loss or even unauthorized code execution in certain configurations. Such vulnerabilities underscore the need for secure dependency management practices.

Affected Version(s)

Gleam 1.9.0-rc1

Gleam a4fde22445ab8e5cc79c2ff48971616cb570702c

References

https://github.com/gleam-lang/gleam/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32146.html

https://osv.dev/vulnerability/EEF-CVE-2026-32146

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

John Downey

Louis Pilfold

Jonatan Männchen / EEF

CVE-2026-32146 Data

JSON