CVE-2026-32733 is a path traversal vulnerability (CWE-22) identified in Halloy, an IRC client written in Rust and maintained by squidowl. The flaw exists in the DCC (Direct Client-to-Client) file receive flow, where filenames from incoming DCC SEND requests were not properly sanitized before being used to write files to disk. Specifically, attackers could include path traversal sequences such as '../../.ssh/authorized_keys' in the filename, causing the application to write files outside the user-configured save directory. This could lead to overwriting or creating arbitrary files on the victim's system. The vulnerability is particularly dangerous when the auto-accept feature for DCC SEND is enabled, as it requires no user interaction or authentication, allowing remote attackers to exploit it silently. The issue was fixed starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 by introducing a centralized filename sanitization function that cleans all relevant code paths. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, no required privileges or user interaction, and high impact on integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all Halloy versions up to and including 2026.4.

The primary impact of this vulnerability is the potential for remote attackers to write arbitrary files anywhere on the victim's filesystem, bypassing intended directory restrictions. This can lead to unauthorized modification or creation of sensitive files, such as SSH authorized_keys, configuration files, or scripts, potentially enabling further system compromise or persistent access. The lack of required authentication and user interaction, combined with network-based exploitation, increases the risk of widespread exploitation in environments where Halloy is used with auto-accept enabled. Organizations relying on Halloy for IRC communications, especially those in sensitive or high-security environments, face risks of data integrity loss, unauthorized access, and potential lateral movement within networks. Although no active exploits are currently known, the vulnerability's characteristics make it a critical concern for affected users.

1. Upgrade Halloy to a version released after commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or any version later than 2026.4 that includes the filename sanitization fix. 2. Temporarily disable the auto-accept feature for DCC SEND requests to prevent automatic file writes without user validation. 3. Implement network-level controls to restrict IRC traffic to trusted sources, reducing exposure to malicious DCC SEND requests. 4. Monitor filesystem changes in directories commonly targeted by path traversal attacks, such as user home directories and SSH configuration folders. 5. Educate users about the risks of enabling auto-accept and encourage manual validation of incoming file transfers. 6. Consider deploying host-based intrusion detection systems (HIDS) to alert on suspicious file writes outside expected directories. 7. Review and harden file system permissions to limit the impact of unauthorized file writes by applications.