The vulnerability identified as CVE-2026-34730 affects copier, a library and CLI tool used for rendering project templates. The flaw is a path traversal issue (CWE-22) in the _external_data feature, which permits templates to specify paths for loading YAML files. Prior to version 9.14.1, copier does not properly restrict these paths to safe directories, allowing a malicious template to specify arbitrary local file paths. When such a template is rendered, copier reads the contents of these files if accessible by the user running the process and includes their data in the output. This can lead to sensitive information disclosure, such as configuration files, credentials, or other private data. The vulnerability requires that untrusted or attacker-controlled templates be processed, and user interaction is necessary to trigger the rendering. The CVSS v3.1 base score is 5.5 (medium), reflecting local attack vector, low attack complexity, no privileges required, but requiring user interaction. The vulnerability does not impact integrity or availability, only confidentiality. The issue has been fixed in copier version 9.14.1 by restricting path traversal and limiting file access to intended directories. No known exploits have been reported, but the risk remains if untrusted templates are used.

Organizations using copier versions prior to 9.14.1 that process templates from untrusted or external sources face a risk of sensitive data exposure. Attackers who can supply or influence templates can exploit this vulnerability to read arbitrary files accessible to the copier user, potentially leaking secrets such as private keys, credentials, or proprietary configuration data. This can lead to information disclosure that aids further attacks or compromises confidentiality. The impact is limited to the confidentiality of data on the host running copier and does not affect system integrity or availability. Since copier is often used in development and automation pipelines, exposure of sensitive project or environment data could have downstream effects on software supply chain security. However, exploitation requires user interaction and the presence of untrusted templates, reducing the likelihood in controlled environments. No widespread exploitation is currently known.

To mitigate this vulnerability, organizations should upgrade copier to version 9.14.1 or later, where the path traversal issue is patched. Avoid processing templates from untrusted or unauthenticated sources, and implement strict validation or sandboxing of templates before rendering. Restrict copier execution to users with minimal privileges and ensure that the environment does not contain sensitive files accessible to the copier user. Employ file system permissions to limit access to critical files that should not be exposed. Additionally, incorporate security reviews and scanning of templates to detect malicious path traversal attempts. Monitoring logs for unusual file access patterns during template rendering can help detect exploitation attempts. Finally, educate developers and DevOps teams about the risks of using untrusted templates in automation workflows.