Local File Read Vulnerability in Pydantic Settings Management by Pydantic
CVE-2026-58203

5.3MEDIUM

Key Information:

Vendor

Pydantic

Vendor
CVE Published:
6 July 2026

What is CVE-2026-58203?

The vulnerability in the pydantic-settings package affects versions from 2.12.0 to 2.14.2. This issue arises when the NestedSecretsSettingsSource processes secret values from a configuration directory. Due to the handling of symbolic links when secrets_nested_subdir is set to true, it allows unauthorized access to files located outside the defined secrets directory. An attacker capable of influencing this directory, such as through writable mounts, can exploit this flaw to access sensitive data and bypass limits set by secrets_dir_max_size, resulting in potential data exposure.

Affected Version(s)

pydantic-settings >= 2.12.0, < 2.14.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.