CVE-2026-34726 Overview
CVE-2026-34726 is a path traversal vulnerability discovered in Copier, a popular library and CLI application used for rendering project templates. The vulnerability exists in Copier's _subdirectory setting implementation, which is documented to specify the subdirectory to use as the template root. However, versions prior to 9.14.1 accept parent-directory traversal sequences (such as ..) and use them directly when selecting the template root, allowing a malicious template to escape its own directory and render files from the parent directory without requiring the --UNSAFE flag.
Critical Impact
A malicious template can bypass intended directory restrictions and access files outside the template root, potentially exposing sensitive information or enabling template injection attacks without user awareness.
Affected Products
- Copier versions prior to 9.14.1
- Copier library (Python package)
- Copier CLI application
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34726 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34726
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the template root selection logic within Copier's core functionality. The _subdirectory configuration option is designed to allow template authors to specify a subdirectory within the template repository as the root for rendering. However, the implementation failed to validate that the resulting path remained within the template's boundaries.
The vulnerability allows an attacker who controls a template (such as through a supply chain attack or malicious template repository) to craft a _subdirectory value containing parent directory traversal sequences like ../ or ... When a user renders such a template, Copier would follow these traversal paths and potentially render files from directories outside the intended template root, bypassing the safety mechanisms that typically require the --UNSAFE flag for risky operations.
Root Cause
The root cause lies in the _get_template_root method within copier/_main.py. The original implementation directly concatenated the template's local absolute path with the rendered subdirectory value without validating that the resulting path remained within the template's boundaries. The code simply returned self.template.local_abspath / subdir without checking for path traversal attempts.
Attack Vector
An attacker could exploit this vulnerability by creating a malicious template with a crafted _subdirectory setting containing parent-directory traversal sequences. When an unsuspecting user clones and renders this template using Copier, the tool would traverse outside the template directory and potentially:
- Render sensitive configuration files from parent directories
- Access files outside the template root that were never intended to be processed
- Bypass security controls that would normally require --UNSAFE flag
The attack requires local access as the user must invoke Copier with a malicious template, and user interaction is needed to execute the template rendering process.
# Security patch - fix: disallow `_subdirectory` path outside template root
# Before (vulnerable):
# return self.template.local_abspath / subdir
#
# After (fixed):
It points to the cloned template local abspath + the rendered subdir, if any.
"""
subdir = self._render_string(self.template.subdirectory) or ""
- return self.template.local_abspath / subdir
+ path = (self.template.local_abspath / subdir).resolve()
+ if not path.is_relative_to(self.template.local_abspath):
+ raise ForbiddenPathError(path=Path(subdir))
+ return path
# Main operations
@as_operation("copy")
Source: GitHub Commit cb80a3f
Detection Methods for CVE-2026-34726
Indicators of Compromise
- Templates with _subdirectory values containing .. or other parent-directory traversal sequences
- Copier execution logs showing access to files outside the expected template directory
- Unexpected file operations in parent directories during template rendering
Detection Strategies
- Audit template repositories for _subdirectory settings containing path traversal patterns
- Monitor Copier invocations and log file access patterns during template rendering
- Implement file integrity monitoring on directories adjacent to template workspaces
- Review installed Copier version using pip show copier to identify vulnerable installations
Monitoring Recommendations
- Enable verbose logging when using Copier to track file access patterns
- Implement alerting for Copier processes accessing files outside expected template directories
- Scan template sources for suspicious _subdirectory configurations before use
- Monitor Python package installations for Copier versions below 9.14.1
How to Mitigate CVE-2026-34726
Immediate Actions Required
- Upgrade Copier to version 9.14.1 or later immediately
- Audit any templates used in your environment for malicious _subdirectory settings
- Review recently rendered templates for signs of path traversal exploitation
- Validate template sources and only use templates from trusted repositories
Patch Information
The vulnerability has been patched in Copier version 9.14.1. The fix adds path resolution and validation to ensure the computed template root path remains within the template's local absolute path. If the resolved path escapes the template boundaries, a ForbiddenPathError is now raised. Users should upgrade using:
pip install --upgrade copier>=9.14.1
For additional details, see the GitHub Security Advisory GHSA-85v3-4m8g-hrh6 and Release v9.14.1.
Workarounds
- Use the --UNSAFE flag awareness to carefully review all template operations before execution
- Manually inspect template copier.yml or copier.yaml files for suspicious _subdirectory values before rendering
- Run Copier in isolated environments such as containers to limit potential exposure
- Clone and review template repositories locally before use to identify path traversal attempts
# Verify Copier version and upgrade if necessary
pip show copier | grep Version
pip install --upgrade "copier>=9.14.1"
# Inspect template configuration before use
cat /path/to/template/copier.yml | grep "_subdirectory"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
