Common Weakness Enumeration

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CVE-2026-9804 (GCVE-0-2026-9804)

Vulnerability from cvelistv5 – Published: 2026-05-28 08:15 – Updated: 2026-06-30 12:10
VLAI
Title
Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read
Summary
A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2026:27903 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27913 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27914 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27983 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28002 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-9804 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2482487 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
Impacted products
Vendor Product Version
Red Hat Red Hat Container Native Virtualization 4.17 Unaffected: 1781757410 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.17::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.18 Unaffected: 1781928221 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.18::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.19 Unaffected: 1781590993 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.20 Unaffected: 1781838712 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.20::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.21 Unaffected: 1782012918 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.21::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.17     cpe:/a:redhat:container_native_virtualization:4.17::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.18     cpe:/a:redhat:container_native_virtualization:4.18::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.19     cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.20     cpe:/a:redhat:container_native_virtualization:4.20::el9
Create a notification for this product.
Red Hat Red Hat Container Native Virtualization 4.21     cpe:/a:redhat:container_native_virtualization:4.21::el9
Create a notification for this product.
Date Public
2026-05-28 06:00
Credits
Red Hat would like to thank Thai Son Dinh, GitHub: @sondt99 (VinSOC) for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9804",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-30T01:54:32.833433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-30T01:54:43.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.17::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Container Native Virtualization 4.17",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.18::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Container Native Virtualization 4.18",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Container Native Virtualization 4.19",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.20::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Container Native Virtualization 4.20",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.21::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Container Native Virtualization 4.21",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-28T06:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in KubeVirt\u0027s virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod\u0027s filesystem. This leads to information disclosure, potentially exposing sensitive data."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:10:49.089Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-9804"
          },
          {
            "name": "RHBZ#2482487",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482487"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9804.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28002"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27913"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27914"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27983"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27903"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:28002: Red Hat Container Native Virtualization 4.17"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27913: Red Hat Container Native Virtualization 4.18"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27914: Red Hat Container Native Virtualization 4.19"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27983: Red Hat Container Native Virtualization 4.20"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27903: Red Hat Container Native Virtualization 4.21"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-18T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-28T06:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "kubevirt: kubevirt: VMExport directory symlink escape enables exporter pod file read",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.17::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.17",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781757410",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.18::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.18",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781928221",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781590993",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.20::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.20",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781838712",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.21::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "Red Hat Container Native Virtualization 4.21",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1782012918",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver",
          "product": "Red Hat OpenShift Virtualization 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Thai Son Dinh, GitHub: @sondt99 (VinSOC) for reporting this issue."
        }
      ],
      "datePublic": "2026-05-28T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in KubeVirt\u0027s virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod\u0027s filesystem. This leads to information disclosure, potentially exposing sensitive data."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T19:24:45.875Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:27903",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27903"
        },
        {
          "name": "RHSA-2026:27913",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27913"
        },
        {
          "name": "RHSA-2026:27914",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27914"
        },
        {
          "name": "RHSA-2026:27983",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:27983"
        },
        {
          "name": "RHSA-2026:28002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28002"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-9804"
        },
        {
          "name": "RHBZ#2482487",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482487"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-18T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-05-28T06:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-9804",
    "datePublished": "2026-05-28T08:15:39.779Z",
    "dateReserved": "2026-05-28T06:10:07.134Z",
    "dateUpdated": "2026-06-30T12:10:49.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}










Mitigation ID: MIT-48.1

Phase: Architecture and Design

Strategy: Separation of Privilege

Description:

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Back to CWE stats page