Vulnerability Details CVE-2026-26032
The PackagerResolver of Apache Ivy is able to download online
artifacts and to (re)package them in a format defined by a
packager.xml file. This repackaging is done by an Ant script, which is
stored in a subdirectory of the configured "buildRoot" directory. This
subdirectory is calculated based on modules coordinates, like the
organisation, name or version.
If one of the coordinates contains "../" sequences - which are valid
characters for Ivy coordinates in general- it is possible to break out
of the configured "buildRoot" directory where other files can be
overwritten.
In order to exploit this vulnerability an attacker needs to have
access to a packager repository and add or modify the coordinates in
ivy.xml files to have such "../" sequences.
Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 43.9%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-26032
-
cpe:2.3:a:apache:ivy:2.0.0
-
cpe:2.3:a:apache:ivy:2.1.0
-
cpe:2.3:a:apache:ivy:2.2.0
-
cpe:2.3:a:apache:ivy:2.3.0
-
cpe:2.3:a:apache:ivy:2.4.0
-
cpe:2.3:a:apache:ivy:2.5.0
-
cpe:2.3:a:apache:ivy:2.5.1
-
cpe:2.3:a:apache:ivy:2.5.2
-
cpe:2.3:a:apache:ivy:2.5.3