Access Control Bypass in Wasmtime Runtime for WebAssembly
CVE-2026-47261
What is CVE-2026-47261?
An access control bypass vulnerability exists in the Wasmtime runtime for WebAssembly, where certain filesystem permissions can be bypassed when specific preopen configurations are used. This occurs in versions prior to 24.0.9, 36.0.10, and 44.0.2, allowing unauthorized access to files through the wasip2 descriptor.open-at or wasip1 path_open interfaces. The issue arises from incorrect handling of the OpenFlags::TRUNCATE flag, which failed to set necessary write permissions in the access control checks. As a result, certain calls were permitted where they should have been denied. This vulnerability has been addressed in the latest versions.
Affected Version(s)
wasmtime >= 37.0.0, < 44.0.2 < 37.0.0, 44.0.2
wasmtime >= 25.0.0, < 36.0.10 < 25.0.0, 36.0.10
wasmtime < 24.0.9 < 24.0.9
