CVE-2026-34726 is a path traversal vulnerability classified under CWE-22 affecting the Copier library and CLI application, which is used for rendering project templates. Prior to version 9.14.1, the _subdirectory setting, which defines the template root directory, did not properly sanitize input paths. Specifically, it accepted parent directory traversal sequences such as '..' without restriction. This flaw allows an attacker to escape the intended template directory and cause Copier to render files from directories above the template root. Notably, this occurs even without the --UNSAFE flag, which is normally required to allow unsafe operations. The vulnerability requires local access and user interaction, as the attacker must provide crafted input to the _subdirectory setting. The CVSS v3.1 score is 4.4 (medium), reflecting limited impact on confidentiality and integrity, no impact on availability, and the need for user interaction and local access. No known exploits are currently reported in the wild. The issue was patched in Copier version 9.14.1 by properly restricting path traversal sequences in the _subdirectory parameter to prevent escaping the template root directory. This vulnerability could be exploited to read or render unintended files, potentially leaking sensitive information or causing incorrect template generation.

The primary impact of this vulnerability is unauthorized access to files outside the intended template directory, which can lead to information disclosure or manipulation of template rendering outputs. Organizations using Copier for automated project scaffolding or configuration generation may inadvertently expose sensitive files or inject unintended content into generated projects. While the vulnerability does not directly affect availability, it compromises confidentiality and integrity to a limited extent. Since exploitation requires local access and user interaction, the risk is mitigated in environments with strict user controls but remains significant in multi-user or developer environments where malicious or compromised users could exploit this flaw. The vulnerability could also be leveraged as part of a broader attack chain to escalate privileges or move laterally by accessing configuration files or scripts outside the template scope.

The most effective mitigation is to upgrade Copier to version 9.14.1 or later, where the vulnerability is patched. Until upgrading is possible, organizations should restrict access to Copier usage to trusted users only and avoid using untrusted or user-supplied input for the _subdirectory setting. Implement strict input validation or sanitization on any parameters controlling template paths to prevent directory traversal sequences. Additionally, monitor and audit Copier usage logs to detect unusual template rendering requests that attempt to access parent directories. Employ file system permissions to limit Copier's read access to only necessary directories, reducing the impact of potential traversal attempts. Educate developers and users about the risks of using unsafe flags or parameters that could exacerbate this vulnerability.