Directory Traversal Vulnerability in Go's Root File Operations
CVE-2026-39822

Currently unrated

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-39822?

A directory traversal issue exists in Go's file handling on Unix systems, where the 'os.Root' function incorrectly follows symbolic links that point outside of the designated root directory. This misbehavior allows access to files and directories that should be restricted, making applications vulnerable to unauthorized file access. When the last component of the file path is a symlink, an attacker could exploit this flaw to traverse the filesystem beyond intended boundaries, potentially accessing sensitive information.

Affected Version(s)

os 0 < 1.25.12

os 1.26.0-0 < 1.26.5

os 1.27.0-0 < 1.27.0-rc.2

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mundur (https://github.com/M0nd0R)
.