Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Zarf Package Manager Allows Malicious File Access
CVE-2026-29064
GHSA-hcm4-6hpj-vghm
GHSA-hcm4-6hpj-vghm
Summary
Zarf, a tool used to package software for Kubernetes, has a security issue that could allow an attacker to access and modify files on the system. This could happen if a malicious package is created and processed by Zarf. Update to version 0.73.1 or later to fix this issue.
What to do
- Update github.com zarf-dev to version 0.73.1.
- Update zarf-dev github.com/zarf-dev/zarf/src/pkg/archive to version 0.73.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | zarf-dev | > 0.54.0 , <= 0.73.1 | 0.73.1 |
| zarf-dev | github.com/zarf-dev/zarf/src/pkg/archive | > 0.54.0 , <= 0.73.1 | 0.73.1 |
| lfprojects | zarf | > 0.54.0 , <= 0.73.1 | – |
Original title
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf packa...
Original description
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.
nvd CVSS3.1
8.2
Vulnerability type
CWE-22
Path Traversal
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026