Symlink Following Vulnerability in Gleam's Hex Package Export
CVE-2026-42795

5.1MEDIUM

Key Information:

Vendor: Gleam
Status: Gleam
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-42795?

A symlink following vulnerability exists in Gleam's Hex package export feature, which allows an attacker with write access to the project repository to exploit it. By placing a symlink in the publishable directories, such as src/ or priv/, the attacker can reference files outside the project root. When a maintainer or CI pipeline executes the gleam publish or gleam export hex-tarball commands, local files that are readable by the publisher—including sensitive information like secrets, tokens, or SSH keys—can be inadvertently included in the generated package artifact. This exploitation makes it crucial for developers to validate and sanitize file paths during the packaging process.

Affected Version(s)

Gleam 0.10.0-rc1 < 1.17.0

Gleam c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c < 6435a5528b9ae0449e2f32be579641ec485f6866

References

https://github.com/gleam-lang/gleam/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42795.html

https://osv.dev/vulnerability/EEF-CVE-2026-42795

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Aly (spect3r1)

Abdelrahman Ahmed Aboelkasem (0x2face)

Louis Pilfold

Jonatan Männchen / EEF

CVE-2026-42795 Data

JSON