CVE-2026-32771

Name of the Vulnerable Software and Affected Versions CTFer.io Monitoring versions prior to 0.2.2

Description The CTFer.io Monitoring component, responsible for collecting, processing, and storing signals like logs, metrics, and distributed traces, contains a path traversal flaw in the sanitizeArchivePath function within pkg/extract/extract.go (lines 248–254). This is due to a missing trailing path separator in the strings.HasPrefix check. This allows arbitrary file writes, potentially overwriting shell configurations, SSH keys, kubeconfig files, or crontabs, leading to Remote Code Execution (RCE) and persistent backdoors. The default ReadWriteMany Persistent Volume Claim (PVC) access mode amplifies the attack surface, enabling any pod in the cluster to inject a malicious payload. The sanitizeArchivePath function is called during the Cold Extract data dump workflow. The root cause is a directory name prefix collision because the strings.HasPrefix check does not append a trailing '/' to the directory prefix. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.

Recommendations Versions prior to 0.2.2 should be updated to version 0.2.2 or later.