{"vulnerability": "cve-2026-54250", "sightings": [{"uuid": "ffcee965-552c-4942-be53-65ac8ea6b0ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54250", "type": "seen", "source": "https://gist.github.com/alon710/0aa2b5000c5f8b16f18b0419c2e76818", "content": "# CVE-2026-54250: CVE-2026-54250: Path Traversal Vulnerability in K3s etcd Snapshot Decompression\n\n&gt; **CVSS Score:** 5.8\n&gt; **Published:** 2026-07-14\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-54250\n\n## Summary\nCVE-2026-54250 is a path traversal vulnerability in K3s, a lightweight Kubernetes distribution. The flaw exists within the etcd snapshot decompression functionality, allowing administrative users to write arbitrary files to the host filesystem via a maliciously crafted ZIP archive. Due to the high privilege level of the K3s process, this can result in total host compromise.\n\n## TL;DR\nA Zip Slip path traversal vulnerability in K3s allows administrative users with snapshot restore capabilities to write arbitrary files to the host filesystem, potentially leading to remote code execution and host takeover.\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 5.8 (Medium)\n- **EPSS Score**: 0.00122 (Percentile: 2.32%)\n- **Exploit Status**: Unproven/None\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- K3s Control-Plane Server Nodes\n- **K3s**: &gt;= 1.35.0-rc1+k3s1 to &lt; 1.35.3+k3s1 (Fixed in: `1.35.3+k3s1`)\n- **K3s**: &gt;= 1.34.0-rc1+k3s1 to &lt; 1.34.6+k3s1 (Fixed in: `1.34.6+k3s1`)\n- **K3s**: &lt; v1.33.10+k3s1 (Fixed in: `v1.33.10+k3s1`)\n\n## Mitigation\n\n- Upgrade to patched versions of K3s\n- Enforce GODEBUG=zipinsecurepath=0 environment variable\n- Manually pre-extract the ZIP archive using hardened tools\n\n**Remediation Steps:**\n1. Identify the current version of K3s running on control-plane nodes.\n2. Download and apply the updated K3s binary corresponding to the patched release (e.g., 1.35.3+k3s1, 1.34.6+k3s1, or v1.33.10+k3s1).\n3. If upgrading is delayed, prepend 'GODEBUG=zipinsecurepath=0' to restoration command invocations as an active workaround.\n4. Alternatively, extract snapshot archives manually and target the decompressed database file directly in restoration commands.\n\n## References\n\n- [GitHub Security Advisory GHSA-jxr7-mqhw-9p98](https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98)\n- [NVD Vulnerability Details](https://nvd.nist.gov/vuln/detail/CVE-2026-54250)\n- [CVE Org Record](https://www.cve.org/CVERecord?id=CVE-2026-54250)\n- [K3s Source Code Repository](https://github.com/k3s-io/k3s)\n- [K3s Official Documentation on Restoring Snapshots](https://docs.k3s.io/cli/etcd-snapshot#security)\n- [Go archive/zip Insecure Path Protections](https://pkg.go.dev/archive/zip#NewReader)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-54250) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-14T18:11:53.864161Z"}]}