CVE-2026-26960

medium

Red Hat

CVSS v3 Base Score

7.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Published: February 20, 2026

Last Modified: February 20, 2026

Vendor: Red Hat

Description

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

CWE

CWE-22

Affected Products

Cryostat 4Logging Subsystem for Red Hat OpenShiftNetwork Observability OperatorRed Hat 3scale API Management Platform 2Red Hat Advanced Cluster Management for Kubernetes 2Red Hat AMQ Broker 7Red Hat build of Apache Camel - HawtIO 4Red Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-26960

Vulnerability Report

Description

CWE

Affected Products

References