Arbitrary File Write Vulnerability in Zarf Package Manager for Kubernetes
CVE-2026-40090

7.1HIGH

Key Information:

Vendor: Zarf-dev
Status: Zarf
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-40090?

Zarf, an Airgap Native Packager Manager for Kubernetes, suffers from an arbitrary file write vulnerability in versions 0.23.0 through 0.74.1. This flaw arises in the 'zarf package inspect sbom' and 'zarf package inspect documentation' subcommands, where user-controlled inputs combined with untrusted package metadata can be exploited. Attackers are able to alter the 'Metadata.Name' field in the zarf.yaml manifest to insert path traversal sequences or absolute paths. Consequently, this loophole allows unauthorized write access to critical filesystem locations based on the permissions of the user executing the inspect command. This issue was rectified in version 0.74.2.

Affected Version(s)

zarf >= 0.23.0, < 0.74.2

References

https://github.com/zarf-dev/zarf/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/zarf-dev/zarf/pull/4793

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40090 Data

JSON

Zarf-dev

What is CVE-2026-40090?

Affected Version(s)

References

CVSS V3.1

Timeline