{"id":"CVE-2026-58203","summary":"NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size","details":"pydantic-settings provides settings management using Pydantic. From 2.12.0 until 2.14.2, NestedSecretsSettingsSource reads secret values from files in a configured secrets_dir. When secrets_nested_subdir=True, a directory entry inside secrets_dir that is a symbolic link pointing outside secrets_dir is followed, so files outside the configured directory are read into settings values. The same code path bypasses the documented secrets_dir_max_size protection. An attacker or lower-privileged component able to influence entries in the configured secrets directory (for example, a writable or shared secrets mount) can turn this into an unintended local file read into settings and can defeat the advertised loading-size cap.  This vulnerability is fixed in 2.14.2.","aliases":["GHSA-4xgf-cpjx-pc3j"],"modified":"2026-07-11T03:54:38.483825656Z","published":"2026-07-06T14:24:15.740Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58203.json","cwe_ids":["CWE-22","CWE-400","CWE-59"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58203.json"},{"type":"ADVISORY","url":"https://github.com/pydantic/pydantic-settings/security/advisories/GHSA-4xgf-cpjx-pc3j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58203"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pydantic/pydantic-settings","events":[{"introduced":"584983d253a0fac4dfb294d1e6f9ef188add468b"},{"fixed":"d703bd717e5e07439fa89da2245eee6139413e9e"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.12.0"},{"fixed":"2.14.2"}]}}],"versions":["v2.14.1","v2.14.0","v2.13.1","v2.13.0","v2.12.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58203.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}