CVE-2026-32146

Name of the Vulnerable Software and Affected Versions Gleam versions 1.9.0-rc1 through 1.15.3 and 1.16.0-rc1

Description An improper path validation issue exists in the Gleam compiler when handling git dependencies during the dependency download process. Dependency names from gleam.toml and manifest.toml are used to construct filesystem paths without sufficient validation, allowing attacker-controlled paths (using relative traversal like '../' or absolute paths) to target locations outside the intended dependency directory. This can lead to arbitrary file system modification, including directory deletion and creation, when resolving git dependencies with gleam deps download. A malicious git dependency can overwrite arbitrary directories, potentially causing data loss or, in some environments, achieving code execution by overwriting files like git hooks or shell configuration files.

Recommendations Avoid using untrusted git dependencies, especially without pinning to a specific commit SHA. Review dependency trees carefully, including transitive git dependencies. Run dependency resolution commands in a restricted or isolated environment (e.g., containers).