Cyber Resilience

CVE-2026-26960

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0001 0.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26960 is a high-severity Path Traversal (CWE-22) vulnerability in Isaacs Tar. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26960 affects node-tar, a full-featured Tar library for Node.js, in versions 7.5.7 and prior. The vulnerability allows an attacker-controlled archive to create a hardlink within the extraction directory that references a file outside the intended extraction root. This path traversal issue (CWE-22) bypasses standard protections, effectively turning archive extraction into a primitive for arbitrary filesystem read and write operations executed with the privileges of the extracting user. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), rated high severity.

A local attacker with low complexity can exploit this by tricking a user into extracting a malicious tar archive using default options. No privileges are required from the attacker, but user interaction is needed to initiate extraction. Successful exploitation grants high-impact confidentiality and integrity violations, such as reading sensitive files or overwriting arbitrary ones outside the extraction directory, without affecting availability.

The issue is addressed in node-tar version 7.5.8. Relevant GitHub resources include the security advisory at GHSA-83g3-92jg-28cx and fixing commits 2cb1120bcefe28d7ecc719b41441ade59c52e384 and d18e4e1f846f4ddddc153b0f536a19c050e7499f, which practitioners should review for patch details and upgrade guidance.

EU & UK References

Vulnerability details

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read…

more

and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Malicious tar archive requires user extraction (T1204.002) to trigger path traversal, directly enabling arbitrary local file reads (T1005) and writes of attacker-controlled content to any path (T1105).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24842Same product: Isaacs Tar
CVE-2026-23950Same product: Isaacs Tar
CVE-2025-1915Shared CWE-22
CVE-2026-28447Shared CWE-22
CVE-2026-28793Shared CWE-22
CVE-2026-41589Shared CWE-22
CVE-2026-26065Shared CWE-22
CVE-2026-33183Shared CWE-22
CVE-2026-29064Shared CWE-22
CVE-2024-11343Shared CWE-22

Affected Assets

isaacs
tar
≤ 7.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted tar archive paths and hardlink targets to block traversal outside the extraction root.

prevent

Requires prompt application of the node-tar 7.5.8 patch that eliminates the hardlink path-traversal flaw.

prevent

Limits the extracting process to least-privilege accounts so any successful traversal yields only minimal filesystem access.

References