GHSA-CR2J-534F-MF3G
Vulnerability from github – Published: 2026-06-26 19:20 – Updated: 2026-06-26 19:20Impact
The limit container paths directive in apptainer.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.
For example, the configuration:
limit container paths = /data/safe
Will also allow containers in /data/safe-but-unsafe to be run.
Patches
The issue is patched in apptainer version 1.5.1.
Workarounds
If developers do not use setuid mode or do not use the limit container paths functionality, then this issue does not affect their installation. Note that, as documented [1], if user namespaces are allowed for unrestricted use then this functionality does not stop users from running any container of their choice.
If developers do use the limit container paths functionality they are advised to update.
Credit
This vulnerability was discovered and disclosed to the Apptainer project by Dave Trudgian of Sylabs.
Resources
[1] https://apptainer.org/docs/admin/latest/configfiles.html#limiting-container-execution
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apptainer/apptainer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48785"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T19:20:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `limit container paths directive` in `apptainer.conf` is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.\n\nFor example, the configuration:\n```\nlimit container paths = /data/safe\n```\nWill also allow containers in /data/safe-but-unsafe to be run.\n\n### Patches\n\nThe issue is patched in apptainer version 1.5.1.\n\n### Workarounds\n\nIf developers do not use setuid mode or do not use the `limit container paths` functionality, then this issue does not affect their installation. Note that, as documented [1], if user namespaces are allowed for unrestricted use then this functionality does not stop users from running any container of their choice.\n\nIf developers do use the `limit container paths` functionality they are advised to update.\n\n### Credit\n\nThis vulnerability was discovered and disclosed to the Apptainer project by Dave Trudgian of Sylabs.\n\n### Resources\n\n[1] https://apptainer.org/docs/admin/latest/configfiles.html#limiting-container-execution",
"id": "GHSA-cr2j-534f-mf3g",
"modified": "2026-06-26T19:20:33Z",
"published": "2026-06-26T19:20:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-cr2j-534f-mf3g"
},
{
"type": "PACKAGE",
"url": "https://github.com/apptainer/apptainer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apptainer has incorrect path matching for \u0027limit container paths\u0027 directive "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.