CVE-2026-26187

Name of the Vulnerable Software and Affected Versions lakeFS versions prior to 1.77.0

Description lakeFS, an open-source tool for transforming object storage into Git-like repositories, contains path traversal issues in its local block adapter (pkg/block/local/adapter.go). The verifyRelPath function incorrectly used strings.HasPrefix() for path validation, allowing access to sibling directories with similar names. Additionally, the adapter did not verify that object identifiers remained within their designated storage namespace, enabling attackers to use path traversal sequences in identifiers to access files in other namespaces. These issues allow authenticated users to read and write files outside their designated storage boundaries. The first issue allows access to sibling directories sharing a path prefix, while the second allows access across namespaces using path traversal in object identifiers. This could lead to unauthorized access to sensitive data, malicious file writing, and potential privilege escalation. The vulnerability only affects deployments using the local block adapter.

Recommendations Versions prior to 1.77.0 should be updated to version 1.77.0 or later.