CVE-2026-32771

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to Path Traversal due to a missing trailing path separator in the strings.HasPrefix check. The extractor allows arbitrary file writes (e.g., overwriting shell configs, SSH keys, kubeconfig, or crontabs), enabling RCE and persistent backdoors. The attack surface is further amplified by the default ReadWriteMany PVC access mode, which lets any pod in the cluster inject a malicious payload. This issue has been fixed in version 0.2.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a	Patch
https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25	Exploit Vendor Advisory
https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ctfer:monitoring:*:*:*:*:*:go:*:*

History

16 Apr 2026, 13:28

Type	Values Removed	Values Added
Summary		(es) El componente de monitoreo de CTFer.io se encarga de la recolección, procesamiento y almacenamiento de varias señales (es decir, registros, métricas y trazas distribuidas). En versiones anteriores a la 0.2.2, la función sanitizeArchivePath en pkg/extract/extract.go (líneas 248–254) es vulnerable a salto de ruta debido a la falta de un separador de ruta final en la verificación strings.HasPrefix. El extractor permite escrituras de archivos arbitrarias (por ejemplo, sobrescribir configuraciones de shell, claves SSH, kubeconfig o crontabs), lo que permite RCE y puertas traseras persistentes. La superficie de ataque se amplifica aún más por el modo de acceso predeterminado ReadWriteMany de PVC, que permite a cualquier pod en el clúster inyectar una carga útil maliciosa. Este problema ha sido solucionado en la versión 0.2.2.
References	~~() https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a -~~	() https://github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a - Patch
References	~~() https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25 -~~	() https://github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25 - Exploit, Vendor Advisory
References	~~() https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title -~~	() https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title - Exploit, Third Party Advisory
CPE		cpe:2.3:a:ctfer:monitoring::::::go::*
First Time		Ctfer monitoring Ctfer
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

20 Mar 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 01:15

Updated : 2026-04-16 13:28

NVD link : CVE-2026-32771

Mitre link : CVE-2026-32771

CVE.ORG link : CVE-2026-32771

JSON object : View

Products Affected

ctfer

monitoring

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.8 /10