CVE-2026-23986: CWE-61: UNIX Symbolic Link (Symlink) Following in copier-org copier
CVE-2026-23986 is a medium-severity vulnerability in copier versions prior to 9. 11. 2 that allows a malicious project template to overwrite arbitrary files outside the intended destination directory by exploiting symbolic link following combined with the _preserve_symlinks: true setting. This occurs without requiring privileges or authentication but does require user interaction to generate a project from a crafted template. The vulnerability enables attackers to cause data corruption or disruption by overwriting files according to the user's write permissions. The issue is patched in version 9. 11. 2. European organizations using copier for project templating should update promptly to mitigate risk. The vulnerability primarily affects UNIX-like systems where symbolic links are supported and copier is used.
AI Analysis
Technical Summary
CVE-2026-23986 is a symbolic link (symlink) following vulnerability categorized under CWE-61 affecting the copier library and CLI tool, which is used for rendering project templates. Prior to version 9.11.2, copier allowed templates marked as 'safe' to write files only within the destination directory. However, a crafted template can exploit the _preserve_symlinks: true option combined with a symlinked directory structure to escape the intended directory boundary. By creating a symlink pointing outside the destination path and generating files whose rendered paths resolve inside this symlink, the template can cause copier to write files arbitrarily anywhere the user has write permissions. This can lead to overwriting critical system or user files, causing data loss, corruption, or potential disruption of services. The vulnerability does not require elevated privileges or authentication but does require user interaction to run the malicious template. The issue was resolved in copier version 9.11.2 by restricting symlink traversal or sanitizing paths to prevent directory escape. The CVSS 4.0 score of 6.9 reflects medium severity, with local attack vector, low complexity, no privileges required, but user interaction needed, and high impact on integrity and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to development and operations environments where copier is used to automate project scaffolding or templating. Successful exploitation can lead to arbitrary file overwrites, potentially corrupting configuration files, source code, or critical system files, resulting in service disruption or data integrity issues. Since the attack requires user interaction to generate a project from a malicious template, the risk is higher in environments where templates are sourced from untrusted or external repositories. The vulnerability could be leveraged in supply chain attacks targeting software development pipelines. Organizations relying on UNIX-like systems (Linux, macOS) are most affected due to symlink support. The impact is amplified in sectors with stringent data integrity requirements such as finance, healthcare, and critical infrastructure. Although no known exploits are reported in the wild yet, the medium severity and ease of exploitation warrant proactive mitigation.
Mitigation Recommendations
European organizations should immediately upgrade copier to version 9.11.2 or later to apply the official patch. Until upgraded, avoid using templates from untrusted sources, especially those that enable the _preserve_symlinks option. Implement strict code review and validation processes for project templates before use. Employ file system monitoring to detect unexpected file modifications outside designated directories. Use containerized or sandboxed environments for running copier commands to limit potential damage from file overwrites. Educate developers and DevOps teams about the risks of using unsafe templates and the importance of verifying template provenance. Integrate automated scanning tools to detect symlink traversal or directory escape patterns in templates. Finally, maintain regular backups of critical configuration and source files to enable recovery in case of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2026-23986: CWE-61: UNIX Symbolic Link (Symlink) Following in copier-org copier
Description
CVE-2026-23986 is a medium-severity vulnerability in copier versions prior to 9. 11. 2 that allows a malicious project template to overwrite arbitrary files outside the intended destination directory by exploiting symbolic link following combined with the _preserve_symlinks: true setting. This occurs without requiring privileges or authentication but does require user interaction to generate a project from a crafted template. The vulnerability enables attackers to cause data corruption or disruption by overwriting files according to the user's write permissions. The issue is patched in version 9. 11. 2. European organizations using copier for project templating should update promptly to mitigate risk. The vulnerability primarily affects UNIX-like systems where symbolic links are supported and copier is used.
AI-Powered Analysis
Technical Analysis
CVE-2026-23986 is a symbolic link (symlink) following vulnerability categorized under CWE-61 affecting the copier library and CLI tool, which is used for rendering project templates. Prior to version 9.11.2, copier allowed templates marked as 'safe' to write files only within the destination directory. However, a crafted template can exploit the _preserve_symlinks: true option combined with a symlinked directory structure to escape the intended directory boundary. By creating a symlink pointing outside the destination path and generating files whose rendered paths resolve inside this symlink, the template can cause copier to write files arbitrarily anywhere the user has write permissions. This can lead to overwriting critical system or user files, causing data loss, corruption, or potential disruption of services. The vulnerability does not require elevated privileges or authentication but does require user interaction to run the malicious template. The issue was resolved in copier version 9.11.2 by restricting symlink traversal or sanitizing paths to prevent directory escape. The CVSS 4.0 score of 6.9 reflects medium severity, with local attack vector, low complexity, no privileges required, but user interaction needed, and high impact on integrity and availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to development and operations environments where copier is used to automate project scaffolding or templating. Successful exploitation can lead to arbitrary file overwrites, potentially corrupting configuration files, source code, or critical system files, resulting in service disruption or data integrity issues. Since the attack requires user interaction to generate a project from a malicious template, the risk is higher in environments where templates are sourced from untrusted or external repositories. The vulnerability could be leveraged in supply chain attacks targeting software development pipelines. Organizations relying on UNIX-like systems (Linux, macOS) are most affected due to symlink support. The impact is amplified in sectors with stringent data integrity requirements such as finance, healthcare, and critical infrastructure. Although no known exploits are reported in the wild yet, the medium severity and ease of exploitation warrant proactive mitigation.
Mitigation Recommendations
European organizations should immediately upgrade copier to version 9.11.2 or later to apply the official patch. Until upgraded, avoid using templates from untrusted sources, especially those that enable the _preserve_symlinks option. Implement strict code review and validation processes for project templates before use. Employ file system monitoring to detect unexpected file modifications outside designated directories. Use containerized or sandboxed environments for running copier commands to limit potential damage from file overwrites. Educate developers and DevOps teams about the risks of using unsafe templates and the importance of verifying template provenance. Integrate automated scanning tools to detect symlink traversal or directory escape patterns in templates. Finally, maintain regular backups of critical configuration and source files to enable recovery in case of exploitation.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-19T18:49:20.656Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697154cc4623b1157cf0b385
Added to database: 1/21/2026, 10:35:56 PM
Last enriched: 1/29/2026, 8:48:42 AM
Last updated: 2/7/2026, 8:52:46 AM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumCVE-2026-1643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ariagle MP-Ukagaka
MediumCVE-2026-1634: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alexdtn Subitem AL Slider
MediumCVE-2026-1613: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mrlister1 Wonka Slide
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.