Access Control Bypass in Wasmtime Runtime for WebAssembly
CVE-2026-47261

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
15 June 2026

What is CVE-2026-47261?

An access control bypass vulnerability exists in the Wasmtime runtime for WebAssembly, where certain filesystem permissions can be bypassed when specific preopen configurations are used. This occurs in versions prior to 24.0.9, 36.0.10, and 44.0.2, allowing unauthorized access to files through the wasip2 descriptor.open-at or wasip1 path_open interfaces. The issue arises from incorrect handling of the OpenFlags::TRUNCATE flag, which failed to set necessary write permissions in the access control checks. As a result, certain calls were permitted where they should have been denied. This vulnerability has been addressed in the latest versions.

Affected Version(s)

wasmtime >= 37.0.0, < 44.0.2 < 37.0.0, 44.0.2

wasmtime >= 25.0.0, < 36.0.10 < 25.0.0, 36.0.10

wasmtime < 24.0.9 < 24.0.9

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.