oss-sec mailing list archives

CVE-2026-26032: Apache Ivy: PackagerResolver path traversal vulnerability


From: Stefan Bodewig <bodewig () apache org>
Date: Wed, 15 Jul 2026 17:22:46 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: moderate 

Affected versions:

- - Apache Ivy (org.apache.ivy:ivy) 2.0.0 through 2.5.3

Description:

The PackagerResolver of Apache Ivy is able to download online
artifacts and to (re)package them in a format defined by a
packager.xml file. This repackaging is done by an Ant script, which is
stored in a subdirectory of the configured "buildRoot" directory. This
subdirectory is calculated based on modules coordinates, like the
organisation, name or version.

If one of the coordinates contains "../" sequences - which are valid
characters for Ivy coordinates in general- it is possible to break out
of the configured "buildRoot" directory where other files can be
overwritten.

In order to exploit this vulnerability an attacker needs to have
access to a packager repository and add or modify the coordinates in
ivy.xml files to have such "../" sequences.

Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.

Credit:

yudeshui of dhgate security (reporter)

References:

https://ant.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-26032

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmpXpcYACgkQohFa4V9ri3L7uACgr9dNo4ef+5Ly4dbgxV3j+x8u
mBMAoLtTpA8DoE84PcOucocRbJt0M/Jf
=tAVg
-----END PGP SIGNATURE-----


Current thread: