CVE-2026-26032
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
15/07/2026
Last modified:
16/07/2026
Description
The PackagerResolver of Apache Ivy is able to download online<br />
artifacts and to (re)package them in a format defined by a<br />
packager.xml file. This repackaging is done by an Ant script, which is<br />
stored in a subdirectory of the configured "buildRoot" directory. This<br />
subdirectory is calculated based on modules coordinates, like the<br />
organisation, name or version.<br />
<br />
If one of the coordinates contains "../" sequences - which are valid<br />
characters for Ivy coordinates in general- it is possible to break out<br />
of the configured "buildRoot" directory where other files can be<br />
overwritten.<br />
<br />
In order to exploit this vulnerability an attacker needs to have<br />
access to a packager repository and add or modify the coordinates in<br />
ivy.xml files to have such "../" sequences.<br />
<br />
Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.6.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



