OSEC-2026-03

See a problem?

Import Source

https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-03.json

JSON Data

https://api.osv.dev/v1/vulns/OSEC-2026-03

Aliases

CVE-2026-41082

Published

2026-04-15T22:00:00Z

Modified

2026-04-16T21:00:00Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

opam install sandbox escape

Details

Summary

.install files do not validate whether they are inside the package area, and so can bypass sandboxing.

Exploit

In a package.install file, this installs a file as `~/.bashrc:

bin: [
  "payload.sh" {"../../../.bashrc"}
]

Timeline

2026-04-11: Anil forwarded the issue from Andrew Nesbitt to the OCaml security team
2026-04-11: Kate developed a fix
2026-04-15: opam 2.5.1 was released with the fix

Database specific

{
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-03.json",
    "cwe": [
        "CWE-693"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-03.md"
}

References

Credits

- Andrew Nesbitt - REPORTER
- Kate - REMEDIATION_DEVELOPER
- Raja Boujbel - REMEDIATION_REVIEWER
- Hannes Mehnert - COORDINATOR

Affected packages

opam / opam-devel

Package

Name: opam-devel
Purl: pkg:opam/opam-devel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.1

Type: GIT
Repo: https://github.com/ocaml/opam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d7283e3b5845447ee618794d87cfe224dd980c8f

Type: GIT
Repo: https://github.com/ocaml/opam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c8fcf65779fe7048f9b5ef59886bfa9c5d102d84

Affected versions

2.*

2.0~alpha5

2.0.0~beta

2.0.0~beta3

2.0.0~beta3.1

2.0.0~beta5

2.0.0~rc

2.0.0~rc2

2.0.0~rc3

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.1.0~beta2

2.1.0~beta4

2.1.0~rc

2.1.0~rc2

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0~alpha

2.2.0~alpha2

2.2.0~alpha3

2.2.0~beta1

2.2.0~beta2

2.2.0~beta3

2.2.0~rc1

2.2.0

2.2.1

2.3.0~alpha1

2.3.0~beta1

2.3.0~beta2

2.3.0~rc1

2.3.0

2.4.0~alpha1

2.4.0~alpha2

2.4.0~beta1

2.4.0~rc1

2.4.0

2.4.1

2.5.0~alpha1

2.5.0~beta1

2.5.0~rc1

2.5.0

Ecosystem specific

{
    "opam_constraint": "opam-devel {< \"2.5.1\"}"
}

Database specific

source

"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-03.json"