CVE-2026-24686

Name of the Vulnerable Software and Affected Versions go-tuf versions prior to 2.4.1

Description go-tuf is a Go implementation of The Update Framework (TUF). The TAP 4 Multirepo Client uses the map file repository name string (repoName) as a filesystem path component when selecting the local metadata cache directory. If an application accepts a map file from an untrusted source, an attacker can supply a repoName containing traversal sequences (e.g., ../escaped-repo) and cause go-tuf to create directories and write the root metadata file outside the intended cache base, within the running process's filesystem permissions. This allows overwriting arbitrary files.

Recommendations Update to version 2.4.1 or later.