{"id":"GO-2026-4970","summary":"Root escape via symlink plus trailing slash in os","details":"On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.\n\nFor example, 'root.Open(\"symlink/\")' will open \"symlink\" even when \"symlink\" is a symbolic link pointing outside of the root.","aliases":["CVE-2026-39822"],"modified":"2026-07-08T20:29:26.853236160Z","published":"2026-07-07T21:34:47Z","related":["CGA-8r5h-83c2-4rxw"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4970","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/79005"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc"},{"type":"FIX","url":"https://go.dev/cl/797880"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.12"},{"introduced":"1.26.0-0"},{"fixed":"1.26.5"},{"introduced":"1.27.0-0"},{"fixed":"1.27.0-rc.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["OpenInRoot","Root.Create","Root.Open","Root.OpenFile","Root.OpenRoot","Root.ReadFile","Root.WriteFile","openRootInRoot","rootFS.Open","rootFS.ReadDir","rootFS.ReadFile","rootOpenFileNolog"],"path":"os"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4970.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mundur (https://github.com/M0nd0R)"}]}