How is CVE-2026-30120 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker can send a malicious request from any remote host without requiring LAN or physical access. Authentication (not-required): No credentials of any privilege level are needed; the exploit is available to any unauthenticated caller. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; the exploit triggers through a direct request to the service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions to succeed.

What is the impact of CVE-2026-30120?

Reads any file or secret accessible to the host process, including environment variables, credentials, and private keys. Writes or overwrites arbitrary files on the host filesystem, enabling persistent backdoor installation or data corruption. Executes operating system commands with the privileges of the running container process, enabling lateral movement or further exploitation of the surrounding infrastructure. Crashes or destabilizes the affected service, causing a denial of service for any workload depending on it.

Back to search

CRITICALCVE-2026-30120Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-30120: remotion-dev remotion v4

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in remotion-dev remotion v4.0.409 allows an unauthenticated attacker to reach the affected service over the network and execute arbitrary code on the host. No credentials or victim interaction are required, making this exploitable by any party with network access to the service. Successful exploitation gives the attacker full control over the host process, with high impact to confidentiality, integrity, and availability. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-30120 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and active pipelines, including custom-built images that bundle remotion v4.0.409.

Available

Triage

Triage is available with the CVSS v3.1 score of 9.8 (Critical) surfaced on every matched finding, weighted against each customer organization's compliance policy to prioritize routing and ensure the alert reaches the right team inbox.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send a malicious request from any remote host without requiring LAN or physical access.
AuthenticationNot required
No credentials of any privilege level are needed; the exploit is available to any unauthenticated caller.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; the exploit triggers through a direct request to the service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions to succeed.

Blast Radius

Reads any file or secret accessible to the host process, including environment variables, credentials, and private keys.
Writes or overwrites arbitrary files on the host filesystem, enabling persistent backdoor installation or data corruption.
Executes operating system commands with the privileges of the running container process, enabling lateral movement or further exploitation of the surrounding infrastructure.
Crashes or destabilizes the affected service, causing a denial of service for any workload depending on it.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-30120 is flagged as Critical (CVSS 9.8) and any image containing remotion v4.0.409 is surfaced immediately upon scan. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the instant a fix version appears. In the meantime, compensating controls are worth considering for affected environments: apply network policy to restrict inbound access to the remotion service to trusted sources only, enable egress filtering to limit outbound connections from the container, and evaluate whether the feature or endpoint that exposes remotion can be gated or disabled until a patch is available. For customers with auto-remediation enabled, once an upstream fix is published the rebuild, regression test run, and PR against affected workloads will be initiated automatically, with a median time from CVE publication to merged patch PR for Critical-severity issues of around 90 minutes.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified