CVE-2026-26032

Severity CVSS v4.0:
Pending analysis
Type:
CWE-22 Path Traversal
Publication date:
15/07/2026
Last modified:
16/07/2026

Description

The PackagerResolver of Apache Ivy is able to download online<br /> artifacts and to (re)package them in a format defined by a<br /> packager.xml file. This repackaging is done by an Ant script, which is<br /> stored in a subdirectory of the configured "buildRoot" directory. This<br /> subdirectory is calculated based on modules coordinates, like the<br /> organisation, name or version.<br /> <br /> If one of the coordinates contains "../" sequences - which are valid<br /> characters for Ivy coordinates in general- it is possible to break out<br /> of the configured "buildRoot" directory where other files can be<br /> overwritten.<br /> <br /> In order to exploit this vulnerability an attacker needs to have<br /> access to a packager repository and add or modify the coordinates in<br /> ivy.xml files to have such "../" sequences.<br /> <br /> Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:* 2.0.0 (including) 2.6.0 (excluding)