Karapace is an open-source project providing Kafka REST proxy and Schema Registry functionality. Prior to version 6.0.0, it contains a CWE-22 path traversal vulnerability (CVE-2026-29190) in its backup reader module located in backup/backends/v3/backend.py. The vulnerability arises from insufficient validation of file paths when processing backup files. An attacker who can supply a crafted backup file to Karapace can exploit this flaw to read arbitrary files on the underlying system by traversing directories outside the intended backup directory. This can lead to unauthorized disclosure of sensitive data such as configuration files, credentials, or other critical information accessible by the Karapace process user. The impact depends on the file system permissions of the Karapace service account. The vulnerability requires no user interaction but does require the ability to provide backup files to the system, which implies some level of access or trust in the backup source. The flaw does not allow modification or deletion of files, nor remote code execution. The issue has been fixed in Karapace version 6.0.0 by implementing proper path validation and restrictions. No public exploits have been reported, but the vulnerability poses a risk in environments where backups are restored from untrusted or compromised sources.

The primary impact of CVE-2026-29190 is unauthorized disclosure of sensitive information through arbitrary file reads on systems running vulnerable Karapace versions. Organizations relying on Karapace for Kafka REST and Schema Registry services that use the backup/restore feature are at risk if they process backups from untrusted or potentially malicious sources. Attackers could gain access to configuration files, credentials, or other sensitive data, potentially facilitating further attacks or lateral movement within the network. The severity is medium due to the limited scope (read-only access) and the requirement for attacker-supplied backup files. However, in high-security environments or where sensitive data is stored on the same system, the impact could be significant. The vulnerability does not directly allow code execution or denial of service, limiting its immediate destructive potential. Organizations with strict data confidentiality requirements or those operating in regulated industries should prioritize remediation to prevent data leakage.

1. Upgrade Karapace to version 6.0.0 or later, where this vulnerability is patched with proper path validation. 2. Restrict the sources of backup files to trusted and verified origins only; avoid processing backups from untrusted or external sources. 3. Run Karapace with the least privilege principle, ensuring the service account has minimal file system permissions, limiting accessible files to only those necessary for operation. 4. Implement file integrity monitoring on backup directories to detect unauthorized or suspicious backup files. 5. Use network segmentation and access controls to limit who can upload or restore backups to the Karapace service. 6. Regularly audit backup and restore processes and logs for anomalies indicating potential exploitation attempts. 7. Consider additional application-layer controls or sandboxing to isolate the backup processing component. These steps go beyond generic advice by focusing on controlling backup sources, enforcing strict permissions, and monitoring backup integrity.