CVE-2026-32805 is a path traversal vulnerability identified in the Romeo tool developed by ctfer-io, which assists in measuring code coverage for Go applications (version 1.20 and above) within GitHub Actions workflows. The vulnerability stems from an improper validation in the sanitizeArchivePath function located in webserver/api/v1/decoder.go (lines 80-88) prior to version 0.2.2. Specifically, the function uses strings.HasPrefix to check if archive file paths are within a restricted directory but fails to include a trailing path separator in the check. This oversight allows an attacker to craft a malicious tar archive containing file paths that traverse outside the intended extraction directory (e.g., using ../ sequences). When such an archive is processed, files can be written to arbitrary locations on the host filesystem, potentially overwriting critical files or injecting malicious code. The vulnerability does not require authentication or user interaction and can be exploited remotely if the vulnerable Romeo version processes untrusted archives. The CVSS 4.0 base score is 8.3 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity. The scope is limited to Romeo versions before 0.2.2, which has addressed the issue by properly validating paths with the trailing separator included. No known exploits in the wild have been reported yet, but the vulnerability poses a significant risk in automated CI/CD environments where Romeo is used.

The impact of CVE-2026-32805 is significant for organizations using Romeo in their continuous integration and deployment pipelines, especially those running Go applications with version 1.20 or later. Exploitation allows attackers to write arbitrary files outside the intended directory, which can lead to overwriting critical system or application files, injecting malicious payloads, or disrupting build and deployment processes. This compromises the confidentiality, integrity, and availability of the affected systems. In environments where Romeo is integrated into automated workflows, successful exploitation could lead to persistent backdoors, unauthorized code execution, or supply chain compromises. Given the network-exposed nature of GitHub Actions and the automation context, the vulnerability could be leveraged by attackers to escalate privileges or pivot within development infrastructure. Although no active exploits are reported, the ease of exploitation and high impact necessitate urgent remediation to prevent potential damage.

To mitigate CVE-2026-32805, organizations should immediately upgrade Romeo to version 0.2.2 or later, where the path traversal vulnerability is fixed. Additionally, implement strict validation and sanitization of all archive file paths before extraction, ensuring that path traversal sequences (e.g., ../) are detected and blocked. Employ sandboxing or containerization for CI/CD jobs to limit filesystem access and reduce the blast radius of potential exploits. Monitor and audit GitHub Actions workflows for usage of vulnerable Romeo versions and untrusted archive inputs. Consider implementing file integrity monitoring on critical directories to detect unauthorized changes. Finally, educate development and DevOps teams about the risks of processing untrusted archives and enforce the principle of least privilege for CI/CD pipeline components.