CVE-2026-32771
published 2026-03-20CVE-2026-32771: The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
46.7th percentile
The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ctfer-io | monitoring | < 0.2.2 | 0.2.2 |
| ctfer | monitoring | < 0.2.2 | 0.2.2 |
| github.com | ctfer-io_monitoring | >= 0 < 0.2.2 | 0.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable function is `sanitizeArchivePath` in `pkg/extract/extract.go` (lines 248–254); monitor for path traversal sequences in archive extraction paths processed by this function ↗
- →Monitor for unexpected writes to sensitive files (shell configs, SSH keys, kubeconfig, crontabs) originating from the CTFer.io Monitoring component's extraction process, which may indicate exploitation ↗
- →In Kubernetes environments, alert on cross-pod file writes to shared PVCs (ReadWriteMany access mode) from pods associated with github.com/ctfer-io/monitoring versions prior to 0.2.2 ↗
- ·Default ReadWriteMany PVC access mode in the CTFer.io Monitoring deployment broadens the blast radius; any pod in the cluster can potentially inject a malicious payload via the shared volume ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization in github.com/ctfer-io/monitoring
osv·2026-03-26
CVE-2026-32771 Monitoring is vulnerable to Archive Slip due to missing checks in sanitization in github.com/ctfer-io/monitoring
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization in github.com/ctfer-io/monitoring
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization in github.com/ctfer-io/monitoring
OSV
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
osv·2026-03-16
CVE-2026-32771 [HIGH] Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
The `sanitizeArchivePath` function in `pkg/extract/extract.go` (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function.
## Vulnerable Code
File: `pkg/extract/extract.go`, lines 248–254
```go
func sanitizeArchivePath(d, t string) (v string, err error) {
v = filepath.Join(d, t)
if strings.HasPrefix(v, filepath.Clean(d)) { // ← missing trailing separator
return v, nil
}
return "", fmt.Errorf("filepath is tainted: %s", t)
}
```
The function is called at line 219 inside `
GHSA
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
ghsa·2026-03-16
CVE-2026-32771 [HIGH] CWE-22 Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
The `sanitizeArchivePath` function in `pkg/extract/extract.go` (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function.
## Vulnerable Code
File: `pkg/extract/extract.go`, lines 248–254
```go
func sanitizeArchivePath(d, t string) (v string, err error) {
v = filepath.Join(d, t)
if strings.HasPrefix(v, filepath.Clean(d)) { // ← missing trailing separator
return v, nil
}
return "", fmt.Errorf("filepath is tainted: %s", t)
}
```
The function is called at line 219 inside `
No detection rules found.
No public exploits indexed.
2026-03-20
Published