Cyber Posture

CVE-2026-29064

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0003 7.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29064 is a high-severity Path Traversal (CWE-22) vulnerability in Lfprojects Zarf. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the path traversal vulnerability by requiring timely patching of Zarf to version 0.73.1 or later.

SI-10 Information Input Validation good match
prevent

Requires validation of file paths and symlink targets during Zarf package archive extraction to block traversal outside the destination directory.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the Zarf process to limit the scope and impact of arbitrary file read/write operations via symlink traversal.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Malicious Zarf package requires user processing (T1204.002); path traversal directly enables arbitrary local file reads (T1005) and stored data writes/manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file…

more

read or write on the system processing the package. This issue has been patched in version 0.73.1.

Deeper analysisAI

CVE-2026-29064 is a path traversal vulnerability (CWE-22) in Zarf, an air-gapped native package manager for Kubernetes. The issue affects versions from 0.54.0 up to but not including 0.73.1, where archive extraction mishandles symlinks in a specifically crafted Zarf package. This allows symlinks to point outside the destination directory, enabling arbitrary file reads or writes on the host system processing the package. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).

Exploitation requires local access to the system and user interaction, as an attacker must convince a user to process a malicious Zarf package with no privileges needed on the attacker's part. Upon extraction, the symlink traversal grants high-impact confidentiality and integrity violations, allowing arbitrary file read or write operations across the system, which could lead to data exfiltration, modification of critical files, or further privilege escalation in air-gapped Kubernetes environments.

The vulnerability has been patched in Zarf version 0.73.1. Administrators should immediately upgrade affected installations to this version or later to mitigate the issue. Additional details are available in the GitHub release notes at https://github.com/zarf-dev/zarf/releases/tag/v0.73.1 and the security advisory at https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm.

Details

CWE(s)
CWE-22

Affected Products

lfprojects
zarf
0.54.0 — 0.73.1

CVEs Like This One

CVE-2026-40090Same product: Lfprojects Zarf
CVE-2025-15031Same vendor: Lfprojects
CVE-2025-11201Same vendor: Lfprojects
CVE-2026-35177Shared CWE-22
CVE-2025-1915Shared CWE-22
CVE-2026-27623Same vendor: Lfprojects
CVE-2026-33656Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2025-67733Same vendor: Lfprojects
CVE-2026-26960Shared CWE-22

References