CVE Vulnerabilities

CVE-2026-45491

Improper Link Resolution Before File Access ('Link Following')

Published: Jun 09, 2026 | Modified: Jun 17, 2026
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.2 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Improper link resolution before file access (link following) in .NET allows an unauthorized attacker to perform tampering locally.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

NameVendorStart VersionEnd Version
.netMicrosoft8.0.0 (including)8.0.28 (excluding)
.netMicrosoft9.0.0 (including)9.0.17 (excluding)
.netMicrosoft10.0.0 (including)10.0.9 (excluding)
Red Hat Enterprise Linux 10RedHatdotnet8.0-0:8.0.128-1.el10_2*
Red Hat Enterprise Linux 10RedHatdotnet9.0-0:9.0.118-1.el10_2*
Red Hat Enterprise Linux 10RedHatdotnet10.0-0:10.0.109-1.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatdotnet8.0-0:8.0.128-1.el10_0*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatdotnet9.0-0:9.0.118-1.el10_0*
Red Hat Enterprise Linux 8RedHatdotnet8.0-0:8.0.128-1.el8_10*
Red Hat Enterprise Linux 8RedHatdotnet9.0-0:9.0.118-1.el8_10*
Red Hat Enterprise Linux 8RedHatdotnet10.0-0:10.0.109-1.el8_10*
Red Hat Enterprise Linux 9RedHatdotnet8.0-0:8.0.128-1.el9_8*
Red Hat Enterprise Linux 9RedHatdotnet9.0-0:9.0.118-1.el9_8*
Red Hat Enterprise Linux 9RedHatdotnet10.0-0:10.0.109-1.el9_8*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatdotnet8.0-0:8.0.128-1.el9_4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatdotnet8.0-0:8.0.128-1.el9_6*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatdotnet9.0-0:9.0.118-1.el9_6*
Red Hat Hardened ImagesRedHatdotnet9-0-main-9.0.117-1.hum1*
Red Hat Hardened ImagesRedHatdotnet10-0-main-10.0.109-1.hum1*
Red Hat Hardened ImagesRedHatdotnet8-0-main-8.0.128-1.hum1*
Dotnet10Ubuntudevel*
Dotnet10Ubuntunoble*
Dotnet10Ubuntuquesting*
Dotnet10Ubunturesolute*
Dotnet7Ubuntujammy*
Dotnet8Ubuntujammy*
Dotnet8Ubuntunoble*
Dotnet8Ubuntuquesting*
Dotnet9Ubuntuquesting*

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References