CVE-2026-49233 — Routinator has cache path traversal when processing the module component of rsyn

Description

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

How to fix CVE-2026-49233

To remediate CVE-2026-49233, upgrade the affected package to a fixed version below.

crates.io/routinator—upgrade to 0.15.2 or later

Is CVE-2026-49233 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49233.

Affected packages (1)

from 0, < 0.15.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-49233
PATCHgithub.com/NLnetLabs/routinator
WEBgithub.com/NLnetLabs/routinator/releases/tag/v0.15.2
WEBwww.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt