Cyber Resilience

CVE-2026-32805

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32805 is a high-severity Path Traversal (CWE-22) vulnerability in Ctfer-Io Romeo. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-32805 is a path traversal vulnerability (CWE-22) in the Romeo tool, which measures code coverage for Go applications version 1.20 and higher during functional and integration tests in GitHub Actions. The issue resides in the `sanitizeArchivePath` function within `webserver/api/v1/decoder.go` (lines 80-88) of Romeo versions prior to 0.2.2. Due to a missing trailing path separator in the `strings.HasPrefix` check, the function fails to properly validate paths, allowing a crafted tar archive to write files outside the intended destination directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Attackers require network access to a vulnerable Romeo instance but no privileges, authentication, or user interaction. By supplying a maliciously crafted tar archive, they can exploit the path traversal bypass to overwrite or create files in arbitrary locations on the server filesystem, potentially leading to integrity violations such as modifying configuration files, injecting code, or disrupting services.

The GitHub security advisory (GHSA-p799-g7vv-f279) and the fixing commit (c2ebcfb9f305fd5f6ef68858de82507dbac10263) confirm that upgrading to Romeo version 0.2.2 resolves the issue by addressing the path validation flaw.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable…

more

to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated path traversal in webserver tar decoder directly enables T1190 exploitation of public-facing app; resulting arbitrary file write facilitates web shell deployment (T1100) and code/script injection for command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32737Same product: Ctfer-Io Romeo
CVE-2025-53632Same vendor: Ctfer-Io
CVE-2024-10763Shared CWE-22
CVE-2025-53633Same vendor: Ctfer-Io
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-12062Shared CWE-22
CVE-2025-8815Shared CWE-22
CVE-2026-36760Shared CWE-22

Affected Assets

ctfer-io
romeo
≤ 0.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of path inputs in tar archives to block traversal attempts, addressing the exact flaw in sanitizeArchivePath.

prevent

Enforces logical access controls to restrict file writes to authorized directories only, mitigating unauthorized filesystem modifications via path traversal.

detect

Monitors software and information integrity to identify unauthorized file creations or modifications resulting from exploited path traversal.

References