CVE-2026-20613
Published: 23 January 2026
Summary
CVE-2026-20613 is a high-severity Path Traversal (CWE-22) vulnerability in Apple Container. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Registry Run Keys / Startup Folder (T1547.001); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mandates validation of pathnames in archive inputs before extraction, addressing the core lack of pathname validation in ArchiveReader.extractContents().
SI-2 ensures timely identification, reporting, and patching of the vulnerability, as fixed in container 0.8.0 and containerization 0.21.0.
AC-6 enforces least privilege to limit the scope of user-writable directories exploitable via path traversal during archive extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file write to user-writable locations, directly facilitating placement of autostart executables (T1547.001) or host binary compromise (T1554) for persistence/execution.
NVD Description
The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the…
more
system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.
Deeper analysisAI
CVE-2026-20613 is a path traversal vulnerability (CWE-22) in the ArchiveReader.extractContents() function, which is used by the cctl image load and container image load features. This function lacks pathname validation when extracting archive members, allowing a specially crafted archive to place files into arbitrary user-writable locations on the system via relative pathnames. The vulnerability affects the container and containerization components, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by tricking a user into loading a maliciously constructed archive through cctl or container image load operations. No privileges are required, but user interaction is necessary, and the attack has low complexity. Successful exploitation enables the attacker to overwrite or create files in any user-writable directory, potentially leading to high impacts on confidentiality, integrity, and availability, such as disrupting system files or enabling further compromise.
The GitHub Security Advisory (GHSA-cq3j-qj2h-6rv3) confirms the issue and states it is addressed in container version 0.8.0 and containerization version 0.21.0, recommending users upgrade to these patched releases for mitigation.
Details
- CWE(s)