CVE-2026-32733 is a path traversal vulnerability identified in the Halloy IRC client, a Rust-based application developed by squidowl. The vulnerability stems from improper limitation of pathname to a restricted directory (CWE-22) in the DCC receive flow. Specifically, before commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, Halloy did not sanitize filenames received in DCC SEND requests. An attacker controlling a remote IRC user can craft filenames with path traversal sequences such as '../../.ssh/authorized_keys'. When Halloy processes these requests, it writes files outside the configured save directory, potentially overwriting critical system or user files. This can lead to unauthorized file creation or modification, compromising system integrity and confidentiality. The vulnerability is particularly severe because it requires no privileges or user interaction if auto-accept for DCC SEND is enabled, allowing fully remote exploitation. The flaw affects all versions of Halloy up to and including 2026.4. The fix involves sanitizing all filename inputs through a shared sanitize_filename function, preventing directory traversal sequences from escaping the intended save directory. The CVSS 4.0 score of 8.7 reflects the vulnerability's network attack vector, low complexity, no privileges or user interaction required, and high impact on integrity. No known exploits have been reported in the wild as of publication.

The impact of CVE-2026-32733 is significant for organizations using the Halloy IRC client, especially those with auto-accept enabled for DCC SEND. Successful exploitation allows remote attackers to write arbitrary files outside the designated save directory, potentially overwriting sensitive files such as SSH authorized_keys or configuration files. This can lead to unauthorized system access, privilege escalation, persistent backdoors, or disruption of services. The integrity of affected systems is directly compromised, and confidentiality may be breached if sensitive files are overwritten or replaced. The vulnerability does not directly affect availability but could indirectly cause denial of service through system instability or security controls triggered by malicious file writes. Given the ease of exploitation without authentication or user interaction, attackers can rapidly compromise vulnerable endpoints. Organizations relying on Halloy for communication or automation may face increased risk of targeted attacks, especially in environments where IRC remains a communication vector.

To mitigate CVE-2026-32733, organizations should immediately update Halloy to versions released after commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or version 2026.5 and later, where filename sanitization is enforced. If updating is not immediately feasible, disable the auto-accept feature for DCC SEND requests to prevent automatic file writes from untrusted sources. Additionally, implement network-level controls to restrict IRC traffic to trusted servers and users. Employ host-based monitoring to detect unexpected file writes outside designated directories, particularly in sensitive paths like user home directories or SSH configurations. Conduct regular audits of file integrity in critical directories to identify unauthorized changes. Educate users about the risks of accepting unsolicited DCC SEND requests. Finally, consider isolating Halloy usage within sandboxed environments or containers to limit the impact of potential exploitation.