Local File Read Vulnerability in Pydantic Settings Management by Pydantic
CVE-2026-58203
5.3MEDIUM
What is CVE-2026-58203?
The vulnerability in the pydantic-settings package affects versions from 2.12.0 to 2.14.2. This issue arises when the NestedSecretsSettingsSource processes secret values from a configuration directory. Due to the handling of symbolic links when secrets_nested_subdir is set to true, it allows unauthorized access to files located outside the defined secrets directory. An attacker capable of influencing this directory, such as through writable mounts, can exploit this flaw to access sensitive data and bypass limits set by secrets_dir_max_size, resulting in potential data exposure.
Affected Version(s)
pydantic-settings >= 2.12.0, < 2.14.2
