CVE-2026-26187: CVE-2026-26187: escaping the Lake with a Path Traversal Two-Step

CVE-2026-26187: escaping the Lake with a Path Traversal Two-Step Vulnerability ID: CVE-2026-26187 CVSS Score: 8.1 Published: 2026-02-13 A critical path traversal vulnerability in the lakeFS Local Block Adapter allows authenticated users to break out of their storage namespace boundaries. By exploiting a weak prefix validation check and a namespace logic error, attackers can read and write files in sibling repositories or unrelated directories on the host filesystem. TL;DR lakeFS failed to properly sanitize file paths in its Local Block Adapter. Due to a missing trailing slash in a prefix check and loose namespace validation, attackers can use ../ sequences to access files outside their repo. Fixed in v1.77.0. ⚠️ Exploit Status: POC Technical Details CVE ID : CVE-2026-26187 CVSS Score : 8.1 (High) CWE : CWE-22 (Path Traversal) Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Versions : < 1.77.0 Fix Version : 1.77.0 Affected Systems lakeFS (Local Block Adapter) treeverse/la