CVE-2026-36500: An issue in the cluster-admin:backup-datastore component of Controller v12
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A directory traversal vulnerability exists in the cluster-admin:backup-datastore component of Controller v12.0.5. The flaw is reachable over the network without any authentication, by sending a crafted request that manipulates file path references to step outside the intended directory boundary. Successful exploitation gives an attacker the ability to read arbitrary files from the host filesystem and disrupt service availability. HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.
HarborGuard Coverage
Detection for CVE-2026-36500 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that contain the affected Controller v12.0.5 component.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.1 (Critical) and weighting that score against each environment's compliance policy; findings are routed to the appropriate team inbox within each customer organization based on configured severity thresholds.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block images containing the affected component.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service via a network connection to send a crafted request.
- AuthenticationNot required
No credentials or account of any kind are needed; the crafted request can be sent by any unauthenticated party.
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator of the affected system.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental factors to succeed.
Blast Radius
- An attacker can read arbitrary files from the host filesystem, including configuration files, credentials, private keys, and other sensitive data stored outside the intended backup-datastore directory.
- An attacker can disrupt availability of the affected Controller service, causing it to become unresponsive or fail to complete backup operations.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-36500 activates immediately upon ingest, matching the affected Controller v12.0.5 component against images in customer registries and CI/CD pipelines. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While no patch is available, compensating controls worth considering include network-policy isolation to restrict which services can reach the backup-datastore endpoint, egress filtering to limit lateral movement if the component is compromised, and feature-flag gating to disable backup-datastore exposure where the feature is not actively required. Customers with compliance policies that flag Critical-severity unpatched findings will see this CVE surfaced for manual review in the appropriate team inbox.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H