GHSA-wqcr-7rf3-f64m

Suggest an improvement
Source
https://github.com/advisories/GHSA-wqcr-7rf3-f64m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wqcr-7rf3-f64m/GHSA-wqcr-7rf3-f64m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wqcr-7rf3-f64m
Aliases
  • CVE-2026-47215
Published
2026-06-04T17:38:21Z
Modified
2026-06-04T17:45:21.031844703Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Singluarity: Incorrect path matching for 'limit container paths' directive
Details

Impact

The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.

For example, the configuration:

limit container paths = /data/safe

Will also allow containers in /data/safe-but-unsafe to be run.

Patches

This issue is patched in SingularityCE 4.4.2 and SingularityPRO 4.3.9 / 4.1.14

Workarounds

If you do not use the limit container paths functionality, then this issue does not affect your installation.

If you do use the limit container paths functionality then you must update. Please also review the documented limitations when user namespaces are enabled [1].

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T17:38:21Z",
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Go / github.com/sylabs/singularity/v4

Package

Name
github.com/sylabs/singularity/v4
View open source insights on deps.dev
Purl
pkg:golang/github.com/sylabs/singularity/v4

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wqcr-7rf3-f64m/GHSA-wqcr-7rf3-f64m.json"

Go / github.com/sylabs/singularity

Package

Name
github.com/sylabs/singularity
View open source insights on deps.dev
Purl
pkg:golang/github.com/sylabs/singularity

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.1.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wqcr-7rf3-f64m/GHSA-wqcr-7rf3-f64m.json"