HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11527Published Modified CNA CPANSec

CVE-2026-11527: Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
3.001000
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection and file overwrite vulnerability in Config::IniFiles (Perl) before version 3.001000. The flaw is reached locally when a user or process supplies input that is forwarded to the -file argument, and no authentication is required to trigger it, though the attacker must cause a victim to pass a crafted filename. Successful exploitation lets an attacker execute arbitrary OS commands or overwrite files under the process UID. A patched-image rebuild at version 3.001000 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11527 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including CPANSec) within minutes of publication and matched against all customer images, including custom-built images that bundle Config::IniFiles. Any image layer containing a Config::IniFiles release before 3.001000 is flagged.

Available
Triage

HarborGuard scores this finding at CVSS 8.6 HIGH (v3.1) and weights it against each environment's compliance policy to prioritize routing. Triage tickets are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Config::IniFiles 3.001000 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; this is a local attack vector and no network path to the service is required.

  • AuthenticationNot required

    No account or credential is required to supply the malicious -file argument; the attacker only needs the ability to influence the filename passed to Config::IniFiles.

  • Victim interactionRequired

    A victim process or user must pass attacker-controlled input as the -file argument to Config::IniFiles::new, making this a social-engineering or input-injection scenario rather than a fully autonomous attack.

  • Attack complexityDetail

    Attack complexity is low: no race condition, memory-layout dependency, or other environmental precondition is required beyond supplying a pipe- or redirect-prefixed filename string.

Blast Radius

  • Executes arbitrary OS commands under the UID of the process running Config::IniFiles, giving the attacker the same filesystem and process privileges as the application.
  • Truncates or overwrites arbitrary files accessible to the process UID, enabling destruction or replacement of configuration, credential, or data files.
  • Reads file contents or exfiltrates data by piping output to attacker-controlled destinations via the injected command.
  • Achieves scope change (CVSS S:C): impact extends beyond the vulnerable component itself to other resources on the host accessible under the same UID.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Config::IniFiles before 3.001000, including internally built Perl application images. Because a fix exists at version 3.001000, a patched-image rebuild is available immediately for affected images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is surfaced in the triage queue with CVSS 8.6 HIGH scoring and compliance-policy weighting so engineering teams can prioritize manual remediation. In the interim, compensating controls include validating or sanitizing any externally supplied filename before it reaches the -file argument, and applying process-level UID restrictions (such as running the container as a non-root user with a minimal filesystem write scope) to limit the blast radius of a successful injection.

See how HarborGuard automates this

Fix available

3.001000
Patch commits
Affected packages
  • SHLOMIF / Config::IniFiles
    < 3.001000 (from 0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References