The vulnerability identified as CVE-2026-26960 affects the isaacs node-tar package, a widely used Node.js library for handling tar archives. In versions 7.5.7 and below, when extracting archives with default options, an attacker can craft a malicious tar archive containing hardlinks that point to files outside the extraction directory. This path traversal flaw (CWE-22) allows the attacker to bypass the intended directory restrictions and perform arbitrary file read and write operations as the user running the extraction process. The root cause is improper limitation of pathnames during extraction, failing to sanitize or restrict hardlink targets. This effectively turns the archive extraction process into a direct filesystem access primitive, which can be leveraged to overwrite critical files or read sensitive data. The vulnerability requires user interaction to extract the malicious archive but does not require prior authentication. The flaw has been addressed in node-tar version 7.5.8 by implementing stricter path validation and hardlink handling. Although no known exploits are reported in the wild, the high impact on confidentiality and integrity combined with ease of exploitation makes this a significant threat for affected systems.

This vulnerability can lead to unauthorized disclosure and modification of files on systems where vulnerable node-tar versions are used, potentially compromising sensitive data and system integrity. Attackers can overwrite configuration files, inject malicious code, or read sensitive files by exploiting the hardlink path traversal during archive extraction. Since node-tar is commonly used in development, deployment, and CI/CD pipelines, exploitation could affect a wide range of applications and services, leading to supply chain risks and persistent compromise. The impact is especially critical in environments where extraction occurs with elevated privileges or on shared infrastructure. Although availability is not directly affected, the integrity and confidentiality breaches can have severe operational and reputational consequences for organizations worldwide.

The primary mitigation is to upgrade all instances of node-tar to version 7.5.8 or later, where the vulnerability is fixed. Organizations should audit their codebases and dependencies to identify and update vulnerable versions. Additionally, implement strict validation and sanitization of archive contents before extraction, especially when archives originate from untrusted sources. Employ the principle of least privilege by running extraction processes with minimal permissions to limit potential damage. Use containerization or sandboxing to isolate extraction environments. Monitor logs and file system changes for suspicious activity related to archive extraction. Incorporate security scanning tools that detect vulnerable dependencies and enforce automated patching in CI/CD pipelines to prevent future exposure.