CVE-2026-32685 Overview
CVE-2026-32685 is a path traversal vulnerability [CWE-22] in the Gleam programming language toolchain. The flaw resides in how gleam docs build processes the documentation.pages entries from gleam.toml. The compiler incorporates the path and source fields into filesystem operations without confining them to the intended project or output directories. An attacker who convinces a victim to build documentation for an untrusted Gleam project can read arbitrary files readable by the victim and write generated documentation files outside the intended build/dev/docs/<package>/ directory. The issue affects Gleam from 1.16.0 until 1.17.0.
Critical Impact
Building documentation on an untrusted Gleam project enables arbitrary local file read and arbitrary file write outside the documentation output directory.
Affected Products
- Gleam 1.16.0
- Gleam versions up to but not including 1.17.0
- Projects invoking gleam docs build with untrusted gleam.toml content
Discovery Timeline
- 2026-06-02 - CVE-2026-32685 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-32685
Vulnerability Analysis
The Gleam build tool reads documentation configuration from gleam.toml, including a documentation.pages array. Each entry contains a source field pointing to a markdown file to embed and a path field describing the output location for the generated HTML. The toolchain joins these user-controlled values to the project root or documentation output directory without validating that the resolved paths remain inside those directories. As a result, traversal sequences such as ../ in source allow reading files outside the project directory, and traversal sequences in path allow writing generated artifacts outside build/dev/docs/<package>/. The advisory tracks this issue as GHSA-wjx8-7w8m-p4v7.
Root Cause
The root cause is missing path confinement when constructing filesystem paths from documentation.pages[].source and documentation.pages[].path. Gleam does not canonicalize the resulting paths or verify that they remain within the project root and the build output directory before performing read and write operations.
Attack Vector
Exploitation requires local execution with user interaction. An attacker crafts a malicious Gleam project or a malicious gleam.toml that points source at sensitive files on the victim's filesystem, such as SSH keys or environment files. When the victim runs gleam docs build, the file contents are embedded into the generated HTML documentation. The attacker can also set path to traversal sequences that write documentation output to attacker-chosen locations, which can overwrite files writable by the victim. Refer to the CNA advisory and the fix commits 81570611 and c9230cd3 for implementation details.
# Conceptual malicious gleam.toml fragment (do not use)
[[documentation.pages]]
title = "Notes"
path = "../../../tmp/overwrite.html"
source = "../../../home/victim/.ssh/id_rsa"
Detection Methods for CVE-2026-32685
Indicators of Compromise
- Presence of documentation.pages entries in gleam.toml whose source or path values contain .. traversal sequences or absolute paths
- Generated documentation HTML files appearing outside the build/dev/docs/<package>/ directory after running gleam docs build
- Documentation output that embeds the contents of sensitive files such as private keys, shell history, or credentials
Detection Strategies
- Scan repositories and CI workspaces for gleam.toml files containing path traversal patterns in documentation.pages fields
- Audit build pipelines that execute gleam docs build on third-party or contributor-supplied projects
- Compare the Gleam toolchain version reported by gleam --version against the fixed release 1.17.0
Monitoring Recommendations
- Log filesystem read and write events performed by the gleam process during documentation builds and alert on access outside the project tree
- Run untrusted Gleam projects only inside ephemeral sandboxes or containers with read-only mounts of sensitive host directories
- Track Gleam advisories from the OSV entry EEF-CVE-2026-32685 and the Erlang Ecosystem Foundation CNA
How to Mitigate CVE-2026-32685
Immediate Actions Required
- Upgrade Gleam to version 1.17.0 or later on all developer workstations and CI runners
- Audit gleam.toml files in dependencies and third-party projects for suspicious documentation.pages entries before running gleam docs build
- Avoid invoking gleam docs build on untrusted projects outside isolated environments
Patch Information
The fix is delivered in Gleam 1.17.0 and implemented in commits 81570611906b6b0039c948037094d09a68700f3a and c9230cd3045de8fd8481dae3a4557c0146df1430. The patches confine documentation.pages[].source reads to the project directory and documentation.pages[].path writes to the documentation output directory.
Workarounds
- Run gleam docs build only inside containers or sandboxes that lack access to sensitive host files
- Review and sanitize documentation.pages entries in gleam.toml to ensure source and path values are relative and do not contain .. sequences
- Restrict the user account that runs documentation builds to the minimum filesystem permissions required
# Verify the installed Gleam version is patched
gleam --version
# Upgrade Gleam (example using the official installer script)
curl -fsSL https://gleam.run/install.sh | sh
# Run documentation builds in an isolated container
docker run --rm -v "$PWD":/src:ro -w /src ghcr.io/gleam-lang/gleam:1.17.0 \
gleam docs build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

