Improper Permissions in GNU Nano Allows Local File Manipulation
CVE-2026-40556

2.1LOW

Key Information:

Vendor: Gnu
Status: Nano
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40556?

GNU Nano improperly sets permissions for the user's ~/.local directory when it is created for the first time. It assigns overly permissive mode 0777, making this directory world-writable, particularly in environments with relaxed umask settings. This poses a significant risk in container environments, CI/CD runners, and certain system configurations where the umask is set to 000. A local attacker can exploit the timing between the creation of ~/.local and subdirectories to inject malicious files into the XDG directory hierarchy, thereby compromising user security.

Affected Version(s)

nano 2.9.1 < 9.0

References

https://cert.pl/en/posts/2026/04/CVE-2026-40556/

third-party-advisory

https://www.nano-editor.org/

product

https://cgit.git.savannah.gnu.org/cgit/nano.git/commit/?i...

patch

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Michal Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

CVE-2026-40556 Data

JSON

Gnu

What is CVE-2026-40556?

Affected Version(s)

References

CVSS V4

Timeline

Credit