CVE-2026-26960
Published: 20 February 2026
Summary
CVE-2026-26960 is a high-severity Path Traversal (CWE-22) vulnerability in Isaacs Tar. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26960 affects node-tar, a full-featured Tar library for Node.js, in versions 7.5.7 and prior. The vulnerability allows an attacker-controlled archive to create a hardlink within the extraction directory that references a file outside the intended extraction root. This path traversal issue (CWE-22) bypasses standard protections, effectively turning archive extraction into a primitive for arbitrary filesystem read and write operations executed with the privileges of the extracting user. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), rated high severity.
A local attacker with low complexity can exploit this by tricking a user into extracting a malicious tar archive using default options. No privileges are required from the attacker, but user interaction is needed to initiate extraction. Successful exploitation grants high-impact confidentiality and integrity violations, such as reading sensitive files or overwriting arbitrary ones outside the extraction directory, without affecting availability.
The issue is addressed in node-tar version 7.5.8. Relevant GitHub resources include the security advisory at GHSA-83g3-92jg-28cx and fixing commits 2cb1120bcefe28d7ecc719b41441ade59c52e384 and d18e4e1f846f4ddddc153b0f536a19c050e7499f, which practitioners should review for patch details and upgrade guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8399
Vulnerability details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read…
more
and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malicious tar archive requires user extraction (T1204.002) to trigger path traversal, directly enabling arbitrary local file reads (T1005) and writes of attacker-controlled content to any path (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted tar archive paths and hardlink targets to block traversal outside the extraction root.
Requires prompt application of the node-tar 7.5.8 patch that eliminates the hardlink path-traversal flaw.
Limits the extracting process to least-privilege accounts so any successful traversal yields only minimal filesystem access.