CVE-2026-26960
published 2026-02-20CVE-2026-26960: node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink…
PriorityP338high7.1CVSS 3.1
AVLACLPRNUIRSUCHIHAN
EPSS
0.29%
20.5th percentile
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.2.1+ds1+~cs6.1.13-8 (forky) | node-tar 6.2.1+ds1+~cs6.1.13-8 (forky) |
| gnu | tar | >= 0 < 7.5.8 | 7.5.8 |
| isaacs | node-tar | < 7.5.8 | 7.5.8 |
| isaacs | node-tar | >= 0 < 6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
| isaacs | tar | < 7.5.8 | 7.5.8 |
| msrc | azl3_tar_1.35-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_tar_1.34-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
osv7.1HIGH
vendor_debian7.1HIGH
vendor_msrc7.1HIGH
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
vendor_redhat·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CWE-22 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
A flaw was found in node-tar. An attacker can craft a malicious archive that, when extracted with default options, creates a hardlink outside the intended extraction directory. This vulnerability allows the attacker to perform arbi
Microsoft
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
vendor_msrc·2026-02-10·CVSS 7.1
CVE-2026-26960 [HIGH] CWE-22 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2026-26960: node-tar - node-tar is a full-featured Tar for Node.js. When using default options in versi...
vendor_debian·2026·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960: node-tar - node-tar is a full-featured Tar for Node.js. When using default options in versi...
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 6.2.1+ds1+~cs6.1.13-8)
sid: resolved (fixed in 6.2.1+ds1+~cs6.1.13-8)
trixie: open
OSV
CVE-2026-26960: node-tar is a full-featured Tar for Node
osv·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960: node-tar is a full-featured Tar for Node
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
OSV
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
osv·2026-02-18
CVE-2026-26960 [HIGH] Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
### Summary
`tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.
This enables **arbitrary file read and write** as the extracting user (no root, no chmod, no `preservePaths`).
Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.
### Details
The bypass chain uses two symlinks plus one hardlink:
1. `a/b/c/up -> ../..`
2. `a/b/escape -> c/up/../..`
3. `exfil` (hardlink) -> `a/b/escape/`
Why this works:
- Linkpath checks are string-based and do not resolve symlinks on
GHSA
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
ghsa·2026-02-18
CVE-2026-26960 [HIGH] CWE-22 Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
### Summary
`tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.
This enables **arbitrary file read and write** as the extracting user (no root, no chmod, no `preservePaths`).
Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.
### Details
The bypass chain uses two symlinks plus one hardlink:
1. `a/b/c/up -> ../..`
2. `a/b/escape -> c/up/../..`
3. `exfil` (hardlink) -> `a/b/escape/`
Why this works:
- Linkpath checks are string-based and do not resolve symlinks on
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-26960 crow-translate: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 crow-translate: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
CVE-2026-26960 crow-translate: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currentl
Bugzilla
CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
CVE-2026-26960 node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Bugzilla
CVE-2026-26960 openvino: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 openvino: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
CVE-2026-26960 openvino: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently main
Bugzilla
CVE-2026-26960 kf6-breeze-icons: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 kf6-breeze-icons: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
CVE-2026-26960 kf6-breeze-icons: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a curren
Bugzilla
CVE-2026-26960 tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
CVE-2026-26960 tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintaine
Bugzilla
CVE-2026-26960 mozjs78: node-tar: Arbitrary file read/write via malicious archive hardlink creation [epel-all]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 mozjs78: node-tar: Arbitrary file read/write via malicious archive hardlink creation [epel-all]
CVE-2026-26960 mozjs78: node-tar: Arbitrary file read/write via malicious archive hardlink creation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing CVE bug as not relevant to the mozjs package, and there is sadly no option to opt out from these reports :( .
Bugzilla
CVE-2026-26960 onnxruntime: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
bugzilla·2026-02-20·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 onnxruntime: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
CVE-2026-26960 onnxruntime: node-tar: Arbitrary file read/write via malicious archive hardlink creation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently m
Wiz
CVE-2026-26960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26960 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
2026-02-20
Published