CVE-2026-44301 Overview
CVE-2026-44301 is a path traversal vulnerability [CWE-22] in Hugo, an open-source static site generator written in Go. The flaw affects versions from 0.43 up to but not including 0.161.0. When Hugo builds a site that uses Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS, it invokes the configured Node tools without restricting their file system access. Building an untrusted site allows code running through these tools to read or write files outside the project working directory. The maintainers fixed the issue in Hugo 0.161.0.
Critical Impact
Processing an untrusted Hugo site with Node-based asset pipelines can lead to arbitrary file read and write on the build host.
Affected Products
- Hugo versions 0.43 through 0.160.x
- Hugo sites configured with PostCSS asset pipelines
- Hugo sites configured with Babel or TailwindCSS asset pipelines
Discovery Timeline
- 2026-05-12 - CVE-2026-44301 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44301
Vulnerability Analysis
Hugo integrates external Node.js toolchains to process CSS and JavaScript assets during site builds. The resources.PostCSS, resources.Babel, and TailwindCSS integrations spawn Node processes that operate on project sources. Hugo invoked these external tools without applying file system access restrictions to the child processes. A malicious site author can craft configuration files or plugins that the Node tooling executes during the build. That code inherits the privileges of the user running hugo and can traverse outside the working directory.
Root Cause
The root cause is missing isolation between the Hugo build process and Node-based asset pipeline tools [CWE-22]. Hugo did not constrain the working directory or apply sandboxing controls when handing off asset processing to Node. As a result, attacker-controlled PostCSS plugins, Babel transforms, or Tailwind configuration scripts execute with full file system access.
Attack Vector
Exploitation requires a victim to run hugo against an untrusted site that uses one of the affected asset pipelines. The attacker authors a repository containing a malicious postcss.config.js, babel.config.js, or Tailwind configuration. When the victim builds the site, the Node tooling loads the attacker's JavaScript, which then reads sensitive files such as SSH keys or writes payloads outside the project directory. Users who do not use PostCSS, Babel, or TailwindCSS, and users who only build trusted sites, are not affected. See the Hugo GitHub Security Advisory GHSA-x597-9fr4-5857 for additional technical context.
Detection Methods for CVE-2026-44301
Indicators of Compromise
- Unexpected file access from node or npx child processes spawned by hugo during builds
- Hugo build logs referencing postcss.config.js, babel.config.js, or tailwind.config.js from untrusted repositories
- New or modified files outside the Hugo project root following a build operation
Detection Strategies
- Monitor build hosts and CI runners for hugo processes spawning node with file access outside the project directory.
- Review version manifests across developer workstations and CI pipelines to identify Hugo binaries older than 0.161.0.
- Audit Hugo project repositories for asset pipeline configurations that load third-party plugins from untrusted sources.
Monitoring Recommendations
- Enable process and file telemetry on CI/CD build agents to capture parent-child relationships between hugo and node.
- Alert on Hugo builds that access paths outside the configured workspace, including home directories and credential stores.
- Track outbound network connections initiated by Node processes during static site builds.
How to Mitigate CVE-2026-44301
Immediate Actions Required
- Upgrade Hugo to version 0.161.0 or later on all developer machines, build servers, and CI/CD runners.
- Inventory repositories that use resources.PostCSS, Babel, or TailwindCSS pipelines and prioritize them for review.
- Never build untrusted Hugo sites on systems containing sensitive credentials or production secrets.
Patch Information
The vulnerability is fixed in Hugo 0.161.0. Upgrade instructions and the full advisory are available in the Hugo GitHub Security Advisory GHSA-x597-9fr4-5857.
Workarounds
- Avoid building untrusted Hugo sites that use PostCSS, Babel, or TailwindCSS until upgrading.
- Run Hugo builds inside ephemeral containers or sandboxes with restricted file system mounts.
- Execute builds under dedicated low-privilege user accounts that lack access to credentials and sensitive directories.
# Verify Hugo version and upgrade
hugo version
# Expected output should be v0.161.0 or later
# Run untrusted builds inside an isolated container
docker run --rm -v "$PWD":/site:ro -w /site hugomods/hugo:0.161.0 hugo --minify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
