HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10303Published Modified CNA runZero

CVE-2026-10303: ServerCo getssl ACME shell script path injection

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path injection vulnerability (CWE-73, external control of file name or path) exists in ServerCo getssl versions 2.49 and earlier, an ACME certificate management shell script. An attacker who can supply a crafted ACME challenge token, either by acting as a malicious or compromised CA endpoint or by intercepting the response over the network (requiring high attack complexity), can manipulate local file path and filename handling during certificate validation. Successful exploitation enables unauthorized file writes and path traversal, typically running with elevated privileges, which can escalate to remote command injection. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-10303 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle getssl or vendor it as part of a certificate automation workflow.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.4 (HIGH), with per-environment compliance policy weighting applied to adjust effective priority based on each customer org's risk profile; findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

No fix version has been published for getssl at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix version is released; for customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the getssl client over the network, either by operating a malicious CA endpoint the client connects to or by positioning themselves on-path to tamper with ACME challenge responses.

  • AuthenticationNot required

    No authentication is needed; the attacker exploits the unauthenticated ACME challenge-response exchange.

  • Victim interactionNot required

    No user interaction is required; exploitation occurs during the automated certificate validation flow without any human action.

  • Attack complexityDetail

    Attack complexity is high, meaning the attacker must either control or compromise the CA endpoint, or establish an on-path position to intercept and tamper with ACME responses, which requires non-trivial setup.

Blast Radius

  • Writes arbitrary files to local paths accessible by the getssl process, which typically runs with elevated privileges during certificate issuance.
  • Traverses outside intended directories via crafted token values, potentially overwriting sensitive system files or dropping attacker-controlled content.
  • Escalates from file write to remote command injection by placing executable content in locations that are subsequently invoked by the host system or automation tooling.
  • Confidentiality of high-value files is exposed as a side effect of path traversal, allowing the attacker to infer directory structure and overwrite credential or configuration files.

How HarborGuard Handles This

Available on HarborGuard: detection of getssl versions 2.49 and earlier is active across customer image scanning pipelines, with findings scored at CVSS 7.4 HIGH and routed according to each environment's compliance policy. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once ServerCo ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow without manual steps. In the meantime, compensating controls worth considering include: restricting network access from container workloads running getssl to only known, verified CA endpoints via egress network policy; placing an authenticating proxy or pinned TLS trust anchor in front of ACME CA communication to reduce on-path tampering risk; and, where operationally feasible, gating automated certificate renewal flows behind a feature flag until a fix is available. Note that other ACME shell script handlers may be affected by the same class of issue, so any similar tooling in your images should be reviewed as well.

See how HarborGuard automates this
Affected packages
  • ServerCo / getssl
    ≤ 2.49
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References