PT-2026-47224 — Tuf

PT-2026-47224 · Pypi · Tuf

Published

2026-05-28

Updated

2026-05-28

CVSS v3.1

4.0

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

DelegatedRole. is target in pathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern.

Python's fnmatch.fnmatch calls os.path.normcase() on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.path resolves to ntpath, whose normcase lowercases its input and replaces / with ``.

As a result, python-tuf's delegation path pattern matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.

The result on Windows is a TUF specification violation in the python-tuf ngclient implementation.

Vulnerable code

tuf/api/ payload.py (HEAD 7ecb67d):

1183 @staticmethod
1184 def is target in pathpattern(targetpath: str, pathpattern: str) -> bool:
1185   """Determine whether ``targetpath`` matches the ``pathpattern``."""
1186   # We need to make sure that targetpath and pathpattern are pointing to
1187   # the same directory as fnmatch doesn't threat "/" as a special symbol.
1188   target parts = targetpath.split("/")
1189   pattern parts = pathpattern.split("/")
1190   if len(target parts) != len(pattern parts):
1191     return False
1192
1193   # Every part in the pathpattern could include a glob pattern, that's why
1194   # each of the target and pathpattern parts should match.
1195   for target, pattern in zip(target parts, pattern parts, strict=True):
1196     if not fnmatch.fnmatch(target, pattern):
1197       return False
1198   return True

fnmatch.fnmatch source (Python 3.12, unchanged in current mainline):

def fnmatch(name, pat):
  ...
  name = os.path.normcase(name)
  pat = os.path.normcase(pat)
  return fnmatchcase(name, pat)

Fix

Replace fnmatch.fnmatch with fnmatch.fnmatchcase, which is explicitly documented as "not applying case normalization", so it behaves identically across platforms.

Attack

A TUF repository with two path-based delegations whose patterns differ only in case — for example, Foo/* and foo/*.
The "attacker" delegation is listed BEFORE the "legit" delegation in the delegation order.
The client searches for foo/something: on Windows, it will find the "attacker" provided target "Foo/something".

Exploitability caveats

The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.
Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.
The client must run on Windows. No effect on Linux/macOS.

Credit

Reporter: Koda Reef @kodareef5 Advisory edits: Jussi Kukkonen @jku

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-178

Related Identifiers

GHSA-QP9X-WP8F-QGJJ

Affected Products

Tuf