GHSA-cr2j-534f-mf3g

Suggest an improvement
Source
https://github.com/advisories/GHSA-cr2j-534f-mf3g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cr2j-534f-mf3g/GHSA-cr2j-534f-mf3g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cr2j-534f-mf3g
Aliases
  • CVE-2026-48785
Published
2026-06-26T19:20:33Z
Modified
2026-06-26T19:30:08.722391650Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Apptainer has incorrect path matching for 'limit container paths' directive
Details

Impact

The limit container paths directive in apptainer.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.

For example, the configuration:

limit container paths = /data/safe

Will also allow containers in /data/safe-but-unsafe to be run.

Patches

The issue is patched in apptainer version 1.5.1.

Workarounds

If developers do not use setuid mode or do not use the limit container paths functionality, then this issue does not affect their installation. Note that, as documented [1], if user namespaces are allowed for unrestricted use then this functionality does not stop users from running any container of their choice.

If developers do use the limit container paths functionality they are advised to update.

Credit

This vulnerability was discovered and disclosed to the Apptainer project by Dave Trudgian of Sylabs.

Resources

[1] https://apptainer.org/docs/admin/latest/configfiles.html#limiting-container-execution

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-06-26T19:20:33Z"
}
References

Affected packages

Go / github.com/apptainer/apptainer

Package

Name
github.com/apptainer/apptainer
View open source insights on deps.dev
Purl
pkg:golang/github.com/apptainer/apptainer

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cr2j-534f-mf3g/GHSA-cr2j-534f-mf3g.json"