CVE-2026-39822

Summary

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryos0 < 1.25.12affected
Go standard libraryos1.26.0-0 < 1.26.5affected
Go standard libraryos1.27.0-0 < 1.27.0-rc.2affected

Weaknesses

  • CWE-61: UNIX Symbolic Link (Symlink) Following

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References