CVE-2026-29050 Overview
CVE-2026-29050 is a path traversal vulnerability in Chainguard Melange, a tool that allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file—for example through pull-request-driven CI or build-as-a-service scenarios—could set pipeline[].uses to a value containing ../ sequences or an absolute path to escape the pipeline directory and read arbitrary YAML-parseable files visible to the melange process.
Critical Impact
This vulnerability enables arbitrary file read and command execution during build processes, bypassing the review boundary that normally covers in-tree pipeline definitions.
Affected Products
- Chainguard Melange versions 0.32.0 to 0.43.3
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-29050 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-29050
Vulnerability Analysis
The vulnerability exists in the (*Compiled).compilePipeline function located in pkg/build/compile.go. This function handles the processing of pipeline definitions specified in melange configuration files. When processing the pipeline[].uses directive, the function passed the user-supplied value directly to filepath.Join(pipelineDir, uses + ".yaml") without performing any validation on the input.
This lack of input validation meant that path traversal sequences such as ../ or absolute paths could be injected, allowing the resolved file path to escape the intended --pipeline-dir boundaries and access arbitrary YAML files on the filesystem that are visible to the melange process.
The security implications are compounded by the fact that loaded files are subsequently interpreted as melange pipelines, and their runs: block content is executed via /bin/sh -c within the build sandbox. This creates a pathway for attackers to execute arbitrary shell commands sourced from out-of-tree files during the build process, effectively bypassing the security review boundary that would normally gate in-tree pipeline definitions.
Root Cause
The root cause is an improper input validation issue (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the pipeline compilation logic. The uses parameter was consumed without sanitization, allowing directory traversal sequences to manipulate the final file path resolution.
Attack Vector
An attacker with the ability to influence a melange configuration file—such as through a pull request in a CI/CD environment or via a build-as-a-service platform—can craft a malicious pipeline[].uses value. By including ../ sequences or an absolute path prefix, the attacker can direct the build process to load and execute a YAML file from outside the designated pipeline directory.
This attack vector is particularly dangerous in automated CI systems where user-supplied melange configurations are processed without manual review. The attacker can leverage existing YAML files on the build system or place malicious files in predictable locations to achieve command execution within the build sandbox context.
Detection Methods for CVE-2026-29050
Indicators of Compromise
- Melange configuration files containing pipeline[].uses values with ../ sequences
- Melange configuration files with pipeline[].uses values starting with / (absolute paths)
- Unexpected file access patterns during melange build processes
- Anomalous shell command execution within build sandboxes
Detection Strategies
- Implement static analysis of melange configuration files to detect path traversal patterns in pipeline[].uses values
- Monitor build process file access for reads outside designated pipeline directories
- Enable audit logging for melange build operations to capture pipeline loading events
- Use file integrity monitoring on build systems to detect unauthorized YAML file modifications
Monitoring Recommendations
- Review CI/CD pipeline logs for melange builds processing untrusted configuration sources
- Implement alerting for melange configuration changes that include path-like characters in uses directives
- Audit existing melange configurations for potentially exploitable patterns
How to Mitigate CVE-2026-29050
Immediate Actions Required
- Upgrade to melange version 0.43.4 or later immediately
- Review all melange configuration files for suspicious pipeline[].uses values containing .. or leading /
- Restrict melange build execution to trusted configuration sources only
- Implement manual review gates for user-supplied melange configurations in CI systems
Patch Information
The vulnerability is fixed in melange v0.43.4 via commit 5829ca4. The fix implements two key validation measures: it rejects uses values that are absolute paths or contain .. sequences, and it verifies using filepath.Rel after filepath.Clean that the resolved target path remains within the designated pipeline directory.
For more details, refer to the GitHub Security Advisory.
Workarounds
- Only run melange build against configuration files from trusted, verified sources
- In CI systems that build user-supplied melange configs, implement mandatory manual review of pipeline[].uses values before build execution
- Reject any configurations containing .. sequences or leading / in pipeline[].uses values
- Consider implementing a pre-build validation script to scan configuration files for path traversal patterns
# Example pre-build validation to detect path traversal attempts
grep -rE 'uses:\s*["\\x27]?(\.\.|/)' melange.yaml && echo "BLOCKED: Path traversal detected" && exit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
