CVE-2026-26187 is a path traversal vulnerability classified under CWE-22 affecting the open-source data versioning tool lakeFS, specifically versions before 1.77.0. lakeFS enables Git-like repository management for object storage. The vulnerability exists in the local block adapter component (pkg/block/local/adapter.go), where the verifyRelPath function attempts to restrict file operations within a configured storage directory. However, it uses strings.HasPrefix() to validate paths, which only checks if the path starts with the base directory string but does not ensure that the path separator follows, allowing crafted paths to escape the intended directory boundaries. Additionally, while the adapter verifies that resolved paths remain within the base path, it fails to confirm that object identifiers are confined to their designated storage namespaces. This flaw permits authenticated users to perform path traversal attacks by embedding sequences like "../" in object identifiers, enabling unauthorized read and write access to files outside their storage namespace, including sibling directories. The vulnerability impacts confidentiality and integrity by exposing or modifying sensitive files but does not affect system availability. Exploitation requires authentication but no user interaction, and the attack can be performed remotely over the network. The issue was addressed and fixed in lakeFS version 1.77.0 by improving path validation logic to correctly enforce directory boundaries and namespace restrictions. No known exploits are reported in the wild as of now.

For European organizations, this vulnerability poses a significant risk to data confidentiality and integrity within environments using lakeFS for object storage versioning. Unauthorized access to files outside designated storage areas can lead to exposure of sensitive data, including potentially regulated personal or corporate information, violating GDPR and other compliance requirements. Integrity compromise could result in unauthorized modification or deletion of critical files, undermining data reliability and trustworthiness. Since lakeFS is often integrated into cloud-native data platforms, this vulnerability could affect data lakes, analytics pipelines, and backup systems. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised credentials could be leveraged to exploit this flaw. The lack of availability impact means systems remain operational, but data breaches or tampering could have severe operational and reputational consequences. Organizations relying on lakeFS for data governance and version control must urgently update to version 1.77.0 to mitigate these risks.

European organizations should immediately upgrade all lakeFS deployments to version 1.77.0 or later, where the vulnerability is fixed. Until patching is complete, restrict access to lakeFS interfaces to trusted users and networks, enforcing strict authentication and authorization controls. Implement monitoring and alerting for unusual file access patterns or attempts to use path traversal sequences in object identifiers. Conduct audits of storage namespaces and file permissions to detect any unauthorized access or modifications. Employ network segmentation to isolate lakeFS services from broader enterprise networks, reducing the attack surface. Review and tighten identity and access management policies to minimize the risk of credential compromise. Additionally, consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block path traversal attempts targeting lakeFS endpoints. Finally, educate developers and administrators about secure coding practices related to path validation to prevent similar issues in custom integrations.