CVE-2026-29050: Path Traversal to Command Execution in Chainguard Melange

Melange is a utility designed to build APK packages using declarative pipeline configurations. These pipelines specify sequences of execution steps required to compile and package software components. The system is designed to read pipeline configurations constrained within a dedicated workspace directory.

CVE-2026-29050 represents a CWE-22 (Path Traversal) vulnerability affecting the pipeline resolution mechanism. The vulnerability specifically resides in the (*Compiled).compilePipeline function within pkg/build/compile.go. This function processes the pipeline[].uses configuration field to dynamically load external pipeline components.

The flaw allows an attacker to supply directory traversal sequences within the uses field to load YAML files located outside the intended pipeline directory. When the compiler parses these out-of-tree files, it evaluates their directives using the standard pipeline execution engine. This bypasses the intended boundary that restricts execution to trusted, in-tree pipeline definitions.

This vulnerability affects melange deployments beginning with version 0.32.0. The risk is fully addressed in version 0.43.4. Exploitation relies on the target process possessing read access to the malicious file and the ability of an attacker to influence the configuration submitted to the build process.

The root cause of this vulnerability is the complete lack of input sanitization on the uses field during the pipeline compilation phase. When melange processes a configuration file, it extracts the string value associated with the uses key. The software assumes this value corresponds to a local, relative filename without performing verification.

The extracted string is passed directly into filepath.Join(pipelineDir, uses + ".yaml"). The filepath.Join function in Go performs lexical path resolution, combining the base directory with the user-provided input. If the input contains ../ sequences, the function evaluates them during the join operation, moving the resolved path backward up the directory tree.

Because the input validation step is missing, an attacker providing sufficient ../ sequences forces the resolved path to escape the intended pipelineDir. The returned path points to an arbitrary location on the filesystem. Melange then instructs the operating system to read from this resultant path.

Upon successfully loading the external file, melange proceeds to parse it as a valid pipeline component. The internal execution engine does not track the file's original location once loaded. It executes any embedded runs block via /bin/sh -c inside the build sandbox, treating the instructions with the same authority as legitimate build steps.

The vulnerable implementation directly accesses the filesystem using untrusted user input without implementing bounds checks. The code snippet below demonstrates the exact operation in pkg/build/compile.go prior to the patch implementation.

// Prior to fix
data, err = os.ReadFile(filepath.Join(pd, uses+".yaml")) 

The patch introduced in commit 5829ca45cfe14dfeb73ffb716992db3b1b7892ac implements a multi-layered verification strategy. It begins by strictly rejecting absolute paths and explicit traversal strings at the lexical level. This immediate rejection prevents trivial traversal sequences from reaching the filepath resolution functions.

if filepath.IsAbs(uses) || strings.Contains(uses, "..") {
    return fmt.Errorf("invalid pipeline 'uses' value %q: must not contain absolute paths or '..' sequences", uses)
}
// ...
target := filepath.Join(pd, uses+".yaml")
if rel, err := filepath.Rel(pd, filepath.Clean(target)); err != nil || strings.HasPrefix(rel, "..") {
    return fmt.Errorf("pipeline 'uses' value %q resolves outside pipeline directory %q", uses, pd)
}
data, err = os.ReadFile(target)

Following the initial lexical check, the fix performs a jail verification mechanism using filepath.Rel. This secondary check ensures the computed target path resides within the authorized base directory boundary. By calculating the relative path between the base directory and the clean target path, the application can verify the absence of an escape.

The combination of string-based rejection and relative path calculation provides defense against lexical path traversals. However, researchers have noted that these mechanisms do not resolve symlinks on the filesystem. This leaves a theoretical attack surface if attackers possess the capability to write symlinks within the allowed pipeline directory prior to execution.

Exploiting this vulnerability requires the attacker to submit a modified configuration file to a system running melange. This occurs frequently in pull-request-driven continuous integration environments or build-as-a-service architectures. The attacker requires no authentication if the CI system processes unauthenticated pull requests automatically.

The attacker must first stage a malicious YAML file on the host filesystem. This payload contains standard melange execution directives, specifically targeting the runs block to embed a shell command. The placement of this file dictates the required traversal depth in the configuration.

# /tmp/evil.yaml
runs: |
  cat /etc/shadow > /tmp/exfiltrated_data

The attacker then submits a primary configuration file that references the staged payload using traversal sequences. When the automated process executes melange build, the compiler resolves the path to the staged file. It loads the out-of-tree file and executes the defined commands via /bin/sh -c inside the build sandbox.

pipeline:
  - uses: "../../../tmp/evil"

The successful exploitation of CVE-2026-29050 yields restricted remote code execution. Because the commands execute within the melange build sandbox, the attacker is bound by the permissions and capabilities of that specific environment. The attacker cannot directly achieve unconstrained code execution on the underlying host operating system.

The primary impact is a loss of confidentiality. Attackers can read arbitrary files terminating in .yaml across the host system, provided the melange process has read access to those files. While this is restricted by the file extension requirement, configuration files and credentials stored in YAML format remain highly vulnerable to exfiltration.

Integrity is impacted but contained to the sandbox environment. The execution context restricts the attacker's ability to modify core system files or establish persistence on the underlying host. The assigned CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N accurately reflects this localized but substantial risk profile.

Despite the sandbox constraints, this vulnerability circumvents the intended security model of the application. The review boundaries established to vet in-tree pipeline definitions fail when external execution directives are dynamically loaded. This breaks the fundamental trust assumption in build pipelines that rely on repository code reviews.

The official remediation requires upgrading melange to version 0.43.4. This release contains the necessary path validation and jail verification checks to neutralize the lexical traversal vulnerability. Organizations relying on melange within their CI pipelines must prioritize the deployment of this update.

Organizations unable to upgrade immediately must implement strict access controls on the build pipeline. Ensuring melange build only executes against configuration files originating from trusted sources eliminates the primary attack vector. This prevents untrusted actors from injecting the traversal payloads into the build queue.

In automated environments, operators should introduce manual review gates for repository configurations. Security teams can deploy pre-build scripts to parse and validate melange.yaml files before the melange compiler processes them. These scripts must statically analyze the configurations for known malicious patterns.

Pre-build validation scripts must search the pipeline[].uses directives for instances of .. or leading forward slashes. Rejecting configurations containing these string patterns provides an effective interim defense until patches are applied across the infrastructure.