CVE-2026-29190

Name of the Vulnerable Software and Affected Versions Karapace versions prior to 6.0.0

Description Karapace is an implementation of Kafka REST and Schema Registry. A path traversal flaw exists in the backup reader (backup/backends/v3/backend.py) in versions before 6.0.0. An attacker providing a malicious backup file may exploit inadequate path validation to read arbitrary files on the system running Karapace. This impacts deployments utilizing the backup/restore functionality with backups from untrusted sources. The extent of the impact is determined by the file system permissions of the Karapace process.

Recommendations Update to version 6.0.0 or later.