CVE-2026-41082
Published: 16 April 2026
Summary
CVE-2026-41082 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-41082 is a path traversal vulnerability (CWE-24) in the OCaml opam package manager prior to version 2.5.1. The issue arises when processing a .install field in a package specification, which allows the destination filepath to include "../" sequences. This enables traversal to parent directories outside the intended installation scope. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), indicating high severity due to significant integrity impacts with low complexity and no privileges required.
A local attacker can exploit this vulnerability by creating or controlling a malicious opam package with a crafted .install field that uses "../" to target files in parent directories. Upon installation via opam, the package installs files to unauthorized locations, potentially overwriting critical system files. This grants high integrity disruption (I:H) with low confidentiality (C:L) and availability (A:L) impacts, all without user interaction or elevated privileges, as long as the victim runs the opam install command locally.
Mitigation involves updating to opam version 2.5.1 or later, as detailed in the official release notes and the corresponding GitHub pull request #6897 that addresses the path traversal. Debian LTS users should refer to the security announcement for patched packages in their repositories. No workarounds are specified beyond avoiding installation of untrusted packages.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23288
Vulnerability details
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in opam enables a malicious package with crafted .install field to write files to arbitrary locations outside intended scope, directly facilitating supply chain compromise through the package and requiring user execution of the opam install command on the malicious package file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the path traversal flaw in opam by updating to version 2.5.1 or later, as specified in the official mitigation.
Enforces validation of the .install field filepath input to block directory traversal sequences like '../', directly countering CWE-24 in opam.
Prohibits or monitors user installation of untrusted opam packages that could contain malicious .install fields exploiting the vulnerability.