Karapace is an open-source project providing Kafka REST proxy and Schema Registry functionalities. Prior to version 6.0.0, Karapace's backup reader module (specifically in backup/backends/v3/backend.py) suffers from a CWE-22 path traversal vulnerability. This vulnerability arises due to insufficient validation of file paths when processing backup files. An attacker who can supply a crafted malicious backup file to the Karapace backup/restore functionality can exploit this flaw to read arbitrary files on the underlying system. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but does require privileges (PR:H) on the system running Karapace, and no user interaction (UI:N) is needed. The scope is changed (S:C) because the vulnerability can affect resources beyond the initially intended directory. The impact is limited to confidentiality (C:L), with no integrity or availability impact. The severity is medium with a CVSS v3.1 score of 4.1. The vulnerability is relevant only if the backup/restore feature is used and untrusted backup files are processed. The issue has been fixed in Karapace version 6.0.0 by improving path validation to restrict file access within intended directories. No public exploits or active exploitation have been reported to date.

The primary impact of CVE-2026-29190 is unauthorized disclosure of sensitive files on systems running vulnerable versions of Karapace. Attackers with the ability to provide malicious backup files can read arbitrary files, potentially exposing configuration files, credentials, or other sensitive data depending on the file system permissions of the Karapace process. This can lead to further compromise if sensitive information is leaked. The vulnerability does not allow code execution or denial of service, limiting its impact to confidentiality breaches. Organizations using Karapace in critical Kafka infrastructure, especially those processing backups from untrusted or external sources, face increased risk of data leakage. The scope of affected systems is limited to those running versions prior to 6.0.0 with backup/restore enabled. Since exploitation requires privileges on the host, the threat is mitigated in environments with strict access controls but remains significant in multi-tenant or shared environments where attackers may gain partial access.

To mitigate CVE-2026-29190, organizations should upgrade Karapace to version 6.0.0 or later, where the vulnerability has been patched. Until upgrade is possible, restrict the use of the backup/restore functionality to trusted sources only, and avoid processing backup files from untrusted or external origins. Implement strict file system permissions for the Karapace process to minimize the impact of arbitrary file reads. Employ network segmentation and access controls to limit who can interact with the backup/restore interfaces. Monitor logs for unusual backup file processing activities. Additionally, conduct regular audits of backup files and validate their integrity before processing. Consider deploying runtime application self-protection (RASP) or file integrity monitoring to detect anomalous file access patterns. Finally, ensure that Karapace runs with the least privileges necessary to reduce exposure.