CVE-2026-32771

CVE-2026-32771 is a high-severity path traversal vulnerability in github.com/ctfer-io/monitoring (go), affecting versions < 0.2.2. It is fixed in 0.2.2.

Summary

The sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.

Vulnerable Code

File: pkg/extract/extract.go, lines 248–254

func sanitizeArchivePath(d, t string) (v string, err error) {
    v = filepath.Join(d, t)
    if strings.HasPrefix(v, filepath.Clean(d)) {   // ← missing trailing separator
        return v, nil
    }
    return "", fmt.Errorf("filepath is tainted: %s", t)
}

The function is called at line 219 inside untar, which is invoked by copyFromPod (line 205) during the Cold Extract data dump workflow.

Root Cause

strings.HasPrefix(v, filepath.Clean(d)) does not append a trailing / to the directory prefix, causing a directory name prefix collision. If the destination is /home/user/extract-output and a tar entry is named ../extract-outputevil/pwned, the joined path /home/user/extract-outputevil/pwned passes the prefix check, it starts with /home/user/extract-output, even though it is entirely outside the intended directory.

Steps to Reproduce

  1. Deploy the monitoring stack with ColdExtract: true. The OTEL Collector begins writing signal data (otel_traces, otel_metrics, otel_logs) to the shared PVC.

  2. Place the PoC tar on the PVC. Any pod with write access to the ReadWriteMany PVC (or the compromised OTEL Collector itself) copies a poc-path-traversal.tar into the /data/collector mount path. The archive contains three real-looking OTLP telemetry files alongside two crafted entries with path-traversal names.

  3. Run the extractor against the namespace:

    extractor \
      --namespace monitoring \
      --pvc-name <signals-pvc-name> \
      --directory /home/user/extract-output
    
  4. Observe the bypass. untar processes the tar stream. For the malicious entries:

    // entry name: ../extract-outputevil/poc-proof.txt
    filepath.Join("/home/user/extract-output", "../extract-outputevil/poc-proof.txt")
      => "/home/user/extract-outputevil/poc-proof.txt"
    
    strings.HasPrefix("/home/user/extract-outputevil/poc-proof.txt",
                      "/home/user/extract-output")
      => true   // BUG: prefix collision; file lands OUTSIDE target dir
    

    Both malicious entries are written outside /home/user/extract-output/. The three legitimate OTLP files land correctly inside it.

Impact

Successful exploitation gives an attacker arbitrary file write on the machine running the extractor. Real-world primitives include:

  • Overwriting ~/.bashrc / ~/.zshrc / ~/.profile for RCE on next shell login
  • Appending to ~/.ssh/authorized_keys for persistent SSH backdoor
  • Dropping a malicious entry into ~/.kube/config to hijack cluster access
  • Writing crontab entries for persistent scheduled execution

The attack surface is widened by the default ReadWriteMany PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload, not just the OTEL Collector itself.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-32771 has a CVSS score of 9.8 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.2.2); upgrading removes the vulnerable code path.

Affected versions

github.com/ctfer-io/monitoring (< 0.2.2)

Security releases

github.com/ctfer-io/monitoring → 0.2.2 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/ctfer-io/monitoring to 0.2.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-32771? CVE-2026-32771 is a high-severity path traversal vulnerability in github.com/ctfer-io/monitoring (go), affecting versions < 0.2.2. It is fixed in 0.2.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-32771? CVE-2026-32771 has a CVSS score of 9.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/ctfer-io/monitoring are affected by CVE-2026-32771? github.com/ctfer-io/monitoring (go) versions < 0.2.2 is affected.
  4. Is there a fix for CVE-2026-32771? Yes. CVE-2026-32771 is fixed in 0.2.2. Upgrade to this version or later.
  5. Is CVE-2026-32771 exploitable, and should I be worried? Whether CVE-2026-32771 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-32771 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-32771? Upgrade github.com/ctfer-io/monitoring to 0.2.2 or later.

Other vulnerabilities in github.com/ctfer-io/monitoring

CVE-2026-32720

Stop the waste.
Protect your environment with Kodem.