CVE-2026-32805
Published: 18 March 2026
Summary
CVE-2026-32805 is a high-severity Path Traversal (CWE-22) vulnerability in Ctfer-Io Romeo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of path inputs in tar archives to block traversal attempts, addressing the exact flaw in sanitizeArchivePath.
Enforces logical access controls to restrict file writes to authorized directories only, mitigating unauthorized filesystem modifications via path traversal.
Monitors software and information integrity to identify unauthorized file creations or modifications resulting from exploited path traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal in webserver tar decoder directly enables T1190 exploitation of public-facing app; resulting arbitrary file write facilitates web shell deployment (T1100) and code/script injection for command execution (T1059).
NVD Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable…
more
to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.
Deeper analysisAI
CVE-2026-32805 is a path traversal vulnerability (CWE-22) in the Romeo tool, which measures code coverage for Go applications version 1.20 and higher during functional and integration tests in GitHub Actions. The issue resides in the `sanitizeArchivePath` function within `webserver/api/v1/decoder.go` (lines 80-88) of Romeo versions prior to 0.2.2. Due to a missing trailing path separator in the `strings.HasPrefix` check, the function fails to properly validate paths, allowing a crafted tar archive to write files outside the intended destination directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Attackers require network access to a vulnerable Romeo instance but no privileges, authentication, or user interaction. By supplying a maliciously crafted tar archive, they can exploit the path traversal bypass to overwrite or create files in arbitrary locations on the server filesystem, potentially leading to integrity violations such as modifying configuration files, injecting code, or disrupting services.
The GitHub security advisory (GHSA-p799-g7vv-f279) and the fixing commit (c2ebcfb9f305fd5f6ef68858de82507dbac10263) confirm that upgrading to Romeo version 0.2.2 resolves the issue by addressing the path validation flaw.
Details
- CWE(s)