CVE-2026-23968 Overview
CVE-2026-23968 is a Symlink Attack vulnerability affecting Copier, a library and CLI application for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template—one that doesn't use unsafe features like custom Jinja extensions requiring the --UNSAFE,--trust flag. However, a supposedly safe template can include arbitrary files and directories outside the local template clone location by exploiting symlinks in combination with _preserve_symlinks: false (Copier's default setting).
This vulnerability enables attackers to craft malicious templates that access sensitive files from outside the intended template directory, potentially exposing confidential information when users generate projects from untrusted sources.
Critical Impact
Attackers can leverage symlinks to access and exfiltrate arbitrary files outside the template root directory, bypassing Copier's intended security boundaries for "safe" templates.
Affected Products
- Copier versions prior to 9.11.2
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-23968 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-23968
Vulnerability Analysis
This vulnerability is classified under CWE-61 (UNIX Symbolic Link Following). The issue arises from insufficient validation of symlink targets during template processing. When Copier processes a template with _preserve_symlinks: false (the default configuration), it follows symbolic links and copies the content they point to. The flaw lies in Copier not verifying whether resolved symlink targets remain within the template's root directory.
An attacker can create a template containing symlinks pointing to sensitive locations outside the template directory, such as /etc/passwd, ~/.ssh/, or application configuration files. When a victim generates a project from this malicious template, Copier follows the symlinks and copies the sensitive files into the generated project output, effectively exfiltrating data that should be inaccessible.
Root Cause
The root cause is improper validation of symlink resolution paths in Copier's file copying logic. When processing templates, Copier iterates through files using scantree() and copies content based on resolved paths. Prior to the fix, there was no check to ensure that symlink targets remained within the template's local path boundary (template.local_abspath). This allowed symlinks pointing to arbitrary filesystem locations to be processed as if they were legitimate template files.
Attack Vector
This is a local attack vector requiring user interaction. The attack scenario involves:
- An attacker creates a malicious Copier template containing symlinks pointing to sensitive files outside the template directory
- The attacker distributes the template through a repository or direct sharing
- A victim runs Copier to generate a project from this template, believing it to be safe (no --UNSAFE flag required)
- Copier follows the symlinks and copies sensitive files from outside the template root into the generated project
- The attacker can then access the exfiltrated files from the generated project output
dst_root = self.dst_path.resolve()
for src in scantree(str(self.template_copy_root), follow_symlinks):
src_abspath = Path(src.path)
+ # If the source is a symlink, we are not preserving symlinks, and the
+ # symlink target is outside the template root, this means that we are
+ # copying a file/directory from outside the template, which is
+ # forbidden, so raise an error.
+ if (
+ src_abspath.is_symlink()
+ and not self.template.preserve_symlinks
+ and not (src_abspath.resolve()).is_relative_to(
+ self.template.local_abspath
+ )
+ ):
+ raise ForbiddenPathError(
+ path=src_abspath.relative_to(self.template_copy_root)
+ )
src_relpath = Path(src_abspath).relative_to(self.template.local_abspath)
dst_relpaths_ctxs = self._render_path(
Path(src_abspath).relative_to(self.template_copy_root)
Source: GitHub Commit Update
Detection Methods for CVE-2026-23968
Indicators of Compromise
- Presence of symbolic links within downloaded or cloned Copier templates pointing outside the template directory
- Generated projects containing unexpected files that should not be part of the template (e.g., system files, SSH keys, configuration files)
- Template repositories with symlinks targeting paths like /etc/, /home/, ~/.ssh/, or other sensitive directories
Detection Strategies
- Inspect Copier templates before use by listing all symbolic links with find <template_dir> -type l -exec ls -la {} \;
- Verify symlink targets are contained within the template root directory before running Copier
- Monitor file system access patterns during template generation for unexpected reads outside the template directory
- Implement file integrity monitoring on sensitive directories to detect unauthorized access during template processing
Monitoring Recommendations
- Enable file access auditing on systems where Copier is used to track reads of sensitive files during template generation
- Monitor for new files appearing in generated project directories that match sensitive system file patterns
- Review Copier usage logs for templates sourced from untrusted or unknown repositories
- Implement security controls to alert when symlinks are detected in incoming template archives
How to Mitigate CVE-2026-23968
Immediate Actions Required
- Upgrade Copier to version 9.11.2 or later immediately
- Audit any templates from untrusted sources that were used prior to the upgrade
- Review generated projects for any unexpected files that may have been exfiltrated through this vulnerability
- Temporarily set _preserve_symlinks: true in template configurations if upgrading is not immediately possible
Patch Information
The vulnerability has been patched in Copier version 9.11.2. The fix adds validation logic to verify that symlink targets remain within the template's local path boundary. When a symlink pointing outside the template root is detected with _preserve_symlinks: false, Copier now raises a ForbiddenPathError and halts processing. For detailed patch information, see the GitHub Commit Update and the GitHub Security Advisory GHSA-xjhm-gp88-8pfx.
Workarounds
- Use _preserve_symlinks: true in your Copier configuration to prevent symlink resolution (symlinks will be copied as-is rather than followed)
- Manually inspect templates for suspicious symlinks before use with find <template_dir> -type l
- Run Copier in a sandboxed or containerized environment with limited filesystem access
- Only use templates from trusted, verified sources until you can upgrade to the patched version
# Configuration example
# Upgrade Copier to the patched version
pip install --upgrade copier>=9.11.2
# Verify the installed version
copier --version
# For temporary mitigation, set preserve_symlinks in copier.yaml
# Add to your template's copier.yaml:
# _preserve_symlinks: true
# Inspect a template for symlinks before use
find /path/to/template -type l -exec ls -la {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
