Directory Traversal Vulnerability in Go's Root File Operations
CVE-2026-39822
Currently unrated
What is CVE-2026-39822?
A directory traversal issue exists in Go's file handling on Unix systems, where the 'os.Root' function incorrectly follows symbolic links that point outside of the designated root directory. This misbehavior allows access to files and directories that should be restricted, making applications vulnerable to unauthorized file access. When the last component of the file path is a symlink, an attacker could exploit this flaw to traverse the filesystem beyond intended boundaries, potentially accessing sensitive information.
Affected Version(s)
os 0 < 1.25.12
os 1.26.0-0 < 1.26.5
os 1.27.0-0 < 1.27.0-rc.2
