The PackagerResolver of Apache Ivy is able to download online
artifacts and to (re)package them in a format defined by a
packager.xml file. This repackaging is done by an Ant script, which is
stored in a subdirectory of the configured "buildRoot" directory. This
subdirectory is calculated based on modules coordinates, like the
organisation, name or version.
If one of the coordinates contains "../" sequences - which are valid
characters for Ivy coordinates in general- it is possible to break out
of the configured "buildRoot" directory where other files can be
overwritten.
In order to exploit this vulnerability an attacker needs to have
access to a packager repository and add or modify the coordinates in
ivy.xml files to have such "../" sequences.
Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apache
Apache ivy |
|
| Vendors & Products |
Apache
Apache ivy |
Wed, 15 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 15 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The PackagerResolver of Apache Ivy is able to download online artifacts and to (re)package them in a format defined by a packager.xml file. This repackaging is done by an Ant script, which is stored in a subdirectory of the configured "buildRoot" directory. This subdirectory is calculated based on modules coordinates, like the organisation, name or version. If one of the coordinates contains "../" sequences - which are valid characters for Ivy coordinates in general- it is possible to break out of the configured "buildRoot" directory where other files can be overwritten. In order to exploit this vulnerability an attacker needs to have access to a packager repository and add or modify the coordinates in ivy.xml files to have such "../" sequences. Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0. | |
| Title | Apache Ivy: PackagerResolver path traversal vulnerability | |
| Weaknesses | CWE-22 | |
| References |
|
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-15T19:31:07.994Z
Reserved: 2026-02-09T22:55:23.574Z
Link: CVE-2026-26032
Updated: 2026-07-15T19:27:51.628Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z