Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-32282

Improper Link Resolution Before File Access ('Link Following')

Published: Apr 08, 2026 | Modified: Jun 17, 2026
CVSS 3.x
6.4
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.8 MODERATE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-32282
CWEhttps://cwe.mitre.org/data/definitions/59.html

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

NameVendorStart VersionEnd Version
GoGolang*1.25.9 (excluding)
GoGolang1.26.0 (including)1.26.2 (excluding)
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-storage-rhel9:4.1.1-7*
HawtIO HawtIO 4.4.0RedHatrhbac-4-tech-preview/hawtio-rhel8-operator*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatreceptor-0:1.6.5-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatreceptor-0:1.6.5-1.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 10RedHatreceptor-0:1.6.5-1.el10ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatreceptor-0:1.6.5-1.el9ap*
Red Hat Enterprise Linux 10RedHatgolang-0:1.25.9-3.el10_1*
Red Hat Enterprise Linux 10RedHatgrafana-0:10.2.6-25.el10_1*
Red Hat Enterprise Linux 10RedHatrhc-worker-playbook-0:0.2.3-5.el10_1*
Red Hat Enterprise Linux 10RedHatyggdrasil-0:0.4.8-5.el10_1*
Red Hat Enterprise Linux 10RedHatrhc-worker-playbook-0:0.2.7-3.el10_2*
Red Hat Enterprise Linux 10RedHatgit-lfs-0:3.7.1-4.el10_2*
Red Hat Enterprise Linux 10RedHatgrafana-0:10.2.6-26.el10_2*
Red Hat Enterprise Linux 10RedHatopentelemetry-collector-0:0.144.0-2.el10_2*
Red Hat Enterprise Linux 10RedHatgrafana-pcp-0:5.3.0-5.el10_2*
Red Hat Enterprise Linux 10RedHatgolang-github-openprinting-ipp-usb-0:0.9.27-7.el10_2*
Red Hat Enterprise Linux 10RedHatrhc-1:0.3.8-4.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-client-0:1.0.0-4.el10_2*
Red Hat Enterprise Linux 10RedHatgo-fdo-server-0:1.0.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatosbuild-composer-0:165.1-2.el10_2*
Red Hat Enterprise Linux 10RedHatimage-builder-0:52.1-1.el10_2*
Red Hat Enterprise Linux 10RedHatyggdrasil-0:0.4.9-5.el10_2*
Red Hat Enterprise Linux 10RedHatyggdrasil-worker-package-manager-0:0.2.3-7.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgolang-0:1.25.9-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgvisor-tap-vsock-6:0.8.5-2.el10_0.1*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-pcp-0:5.2.2-6.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgrafana-0:10.2.6-24.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatyggdrasil-0:0.4.7-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgolang-github-openprinting-ipp-usb-0:0.9.27-3.el10_0.4*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatrhc-worker-playbook-0:0.2.3-5.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatgit-lfs-0:3.6.1-2.el10_0.4*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatosbuild-composer-0:134.1-7.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatrhc-1:0.3.2-4.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatyggdrasil-worker-package-manager-0:0.2.3-6.el10_0*
Red Hat Enterprise Linux 7 Extended Lifecycle SupportRedHathost-metering-0:1.4.0-7.el7_9*
Red Hat Enterprise Linux 8RedHatgo-toolset:rhel8-8100020260422204008.a3795dee*
Red Hat Enterprise Linux 8RedHatgrafana-0:9.2.10-30.el8_10*
Red Hat Enterprise Linux 8RedHatgrafana-pcp-0:5.1.1-14.el8_10*
Red Hat Enterprise Linux 8RedHatrhc-1:0.2.5-7.el8_10*
Red Hat Enterprise Linux 8RedHatgit-lfs-0:3.4.1-10.el8_10*
Red Hat Enterprise Linux 9RedHatgolang-0:1.25.9-1.el9_7*
Red Hat Enterprise Linux 9RedHatgrafana-pcp-0:5.1.1-14.el9_7*
Red Hat Enterprise Linux 9RedHatgrafana-0:10.2.6-21.el9_7*
Red Hat Enterprise Linux 9RedHatgit-lfs-0:3.6.1-8.el9_7.1*
Red Hat Enterprise Linux 9RedHatgit-lfs-0:3.7.1-4.el9_8*
Red Hat Enterprise Linux 9RedHatgrafana-pcp-0:5.1.1-15.el9_8*
Red Hat Enterprise Linux 9RedHatgrafana-0:10.2.6-22.el9_8*
Red Hat Enterprise Linux 9RedHatopentelemetry-collector-0:0.144.0-2.el9_8*
Red Hat Enterprise Linux 9RedHatrhc-1:0.2.7-6.el9_8*
Red Hat Enterprise Linux 9RedHatosbuild-composer-0:165.1-2.el9_8*
Red Hat Enterprise Linux 9RedHatimage-builder-0:52.1-1.el9_8*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgolang-0:1.25.9-1.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgit-lfs-0:3.6.1-2.el9_6.4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-pcp-0:5.1.1-14.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgrafana-0:10.2.6-21.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatosbuild-composer-0:132.2-7.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatrhc-1:0.2.7-1.el9_6.4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatgvisor-tap-vsock-6:0.8.5-2.el9_6.2*
Red Hat OpenStack Platform 17.1 for RHEL 9RedHatcollectd-libpod-stats-0:1.0.6-7.el9ost*
Red Hat OpenStack Platform 17.1 for RHEL 9RedHatgolang-uber-multierr-0:1.5.0-2.el9ost*
Red Hat OpenStack Platform 17.1 for RHEL 9RedHatetcd-0:3.4.26-9.5.el9ost*
Red Hat Satellite 6.16 for RHEL 8RedHatdynflow-utils-0:1.6.3-1.1.el8sat*
Red Hat Satellite 6.16 for RHEL 8RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el8sat*
Red Hat Satellite 6.16 for RHEL 8RedHatdynflow-utils-0:1.6.3-1.1.el8sat*
Red Hat Satellite 6.16 for RHEL 8RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el8sat*
Red Hat Satellite 6.16 for RHEL 9RedHatdynflow-utils-0:1.6.3-1.1.el9sat*
Red Hat Satellite 6.16 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Red Hat Satellite 6.16 for RHEL 9RedHatdynflow-utils-0:1.6.3-1.1.el9sat*
Red Hat Satellite 6.16 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Red Hat Satellite 6.18 for RHEL 9RedHatdynflow-utils-0:2.0.1-1.el9sat*
Red Hat Satellite 6.18 for RHEL 9RedHatdynflow-utils-0:2.0.1-1.el9sat*
Red Hat Satellite 6.19 for RHEL 9RedHatdynflow-utils-0:2.0.1-1.el9sat*
Red Hat Satellite 6.19 for RHEL 9RedHatdynflow-utils-0:2.0.1-1.el9sat*
Cluster Observability Operator 1.5.0RedHatcluster-observability-operator/perses-rhel9:1781116652*
Custom Metric Autoscaler 2.19RedHatcustom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9:1780101236*
Logging Subsystem for Red Hat OpenShift 6.0RedHatopenshift-logging/logging-loki-rhel9:1781193075*
Logging Subsystem for Red Hat OpenShift 6.4RedHatopenshift-logging/logging-loki-rhel9:1780051809*
Multicluster Global Hub 1.3.4RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1779210675*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118*
Multicluster Global Hub 1.7.1RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779925273*
Network Observability (NETOBSERV) 1.11.2RedHatnetwork-observability/network-observability-flowlogs-pipeline-rhel9:1778508248*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-kubevirt-velero-plugin-rhel9:1779243307*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-mustgather-rhel9:1779770049*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-rhel9-operator:1779847451*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-aws-rhel9:1779243113*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-gcp-rhel9:1779243915*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-legacy-aws-rhel9:1779243074*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-for-microsoft-azure-rhel9:1779243128*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-plugin-rhel9:1779243793*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-restic-restore-helper-rhel9:1779809597*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-rhel9:1779809598*
OpenShift API for Data Protection 1.5RedHatoadp/oadp-velero-rhel9:1779808027*
OpenShift Compliance Operator 1RedHatcompliance/openshift-compliance-operator-bundle:1781605005*
OpenShift Developer Tools and Services 1.6.2RedHatsource-to-image/source-to-image-rhel8:1780247935*
OpenShift Developer Tools and Services 1.6.2RedHatsource-to-image/source-to-image-rhel9:1780247727*
Red Hat Advanced Cluster Management for Kubernetes 2.15RedHatrhacm2/volsync-rhel9:1777380373*
Red Hat Advanced Cluster Management for Kubernetes 2.16RedHatrhacm2/volsync-rhel9:1777380410*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-main-rhel8:1777976489*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-main-rhel8:1777986630*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-rhel9-operator:1779841292*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-rhel9-operator:1777902709*
Red Hat Hardened ImagesRedHatgolang1-26-main-1.26.2-1.hum1*
Red Hat Hardened ImagesRedHatgolang1-25-main-1.25.9-1.hum1*
Red Hat Lightspeed (formerly Insights) for Runtimes 1RedHatrh-lightspeed-runtimes/runtimes-inventory-rhel9-operator:1.0.3-1779996197*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/udi-rhel9:1779829736*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/tempo-rhel9:1776435680*
Red Hat OpenShift GitOps 1.2RedHatopenshift-gitops-1/dex-rhel9:1779284768*
Red Hat Quay 3.1RedHatquay/quay-rhel8:1779822261*
Red Hat Quay 3.12RedHatquay/quay-rhel8:1779811412*
Red Hat Quay 3.14RedHatquay/quay-rhel8:1779689392*
Red Hat Quay 3.15RedHatquay/quay-rhel8:1780891395*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1779204086*
Red Hat Quay 3.17RedHatquay/quay-rhel9:1779922205*
Red Hat Quay 3.9RedHatquay/quay-rhel8:1779811473*
Red Hat Trusted Artifact Signer 1.3RedHatrhtas/gitsign-rhel9:1780052587*
Golang-1.10Ubuntuesm-infra/xenial*
Golang-1.13Ubuntuesm-apps/xenial*
Golang-1.18Ubuntuesm-apps/xenial*
Golang-1.6Ubuntuesm-infra/xenial*

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use