CVE-2026-27139

Published: Mar 6, 2026Modified: Apr 21, 2026

2.5

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.0 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.25.8
Golang Go	Version 1.26.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://go.dev/cl/749480

Source: security@golang.org

Mailing List

https://go.dev/issue/77827

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Source: security@golang.org

Release Notes

https://pkg.go.dev/vuln/GO-2026-4602

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.