Home / Vulnerability Intelligence / CVE-2026-26187

CVE-2026-26187 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: February 13, 2026

lakeFS - Path Traversal

Published: February 13, 2026Updated: February 13, 2026Remote Exploitable

Overview

lakeFS prior to 1.77.0 contains a path traversal vulnerability caused by insufficient path prefix validation in the local block adapter, letting authenticated users read and write files outside their storage boundaries, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Authenticated users can read and write files outside their designated storage, potentially leading to unauthorized data access and modification.

Mitigation

Update to version 1.77.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 13, 2026

🟠 CVE-2026-26187 - High (8.1) lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Prior to 1.77.0, the local block adapter (pkg/block/local/adapter.go) allows authenticated users to read and write files outside their designated storage bo... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26187/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26187
Severity: High
CVSS Score: 8.1
Type: path_traversal
Status: unconfirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

4.7%Probability of exploitation in the next 30 days