How is CVE-2026-41245 exploited?

Network reachability (required): The attacker must deliver the crafted RAR archive over the network, exposing any service or workflow that fetches and extracts remote or user-supplied archives. Authentication (not-required): No credentials are needed; the attacker only needs to get the victim to extract a malicious archive, with no account or session required. Victim interaction (required): A user or automated process must explicitly extract the attacker-crafted RAR archive, making this a social-engineering or supply-chain delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

What is the impact of CVE-2026-41245?

The attacker writes arbitrary files with attacker-controlled content to sibling directories outside the intended extraction root, overwriting configuration files, scripts, or application binaries. Overwriting executable or configuration files can cause the affected service or application to crash or behave incorrectly, disrupting availability. Because the scope is changed (S:C in the CVSS vector), files written by the exploit can affect components beyond the extracting process itself, including co-located services sharing the filesystem. No confidential data is directly read by this exploit; the primary impact is unauthorized file writes and the resulting service disruption.

Back to search

CRITICALCVE-2026-41245Published 2026-04-20Modified 2026-06-30CNA GitHub_M

CVE-2026-41245: Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal (Zip-Slip) vulnerability exists in the Junrar Java RAR archive library, affecting all versions prior to 7.5.10. The flaw is reachable over the network and requires no authentication, but does require a victim to extract a crafted RAR archive supplied by the attacker. Successful exploitation lets the attacker write arbitrary files with attacker-controlled content into directories outside the intended extraction path, enabling both data tampering and denial of service. HarborGuard is tracking the advisory for patch availability, as no fix version has been published upstream at this time.

HarborGuard Coverage

Detection

Detection of CVE-2026-41245 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the junrar library directly or as a transitive dependency.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.3 (Critical) and weighting results against each environment's compliance policy to surface it at the appropriate priority level; automated routing can direct findings to the correct team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must deliver the crafted RAR archive over the network, exposing any service or workflow that fetches and extracts remote or user-supplied archives.
AuthenticationNot required
No credentials are needed; the attacker only needs to get the victim to extract a malicious archive, with no account or session required.
Victim interactionRequired
A user or automated process must explicitly extract the attacker-crafted RAR archive, making this a social-engineering or supply-chain delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

The attacker writes arbitrary files with attacker-controlled content to sibling directories outside the intended extraction root, overwriting configuration files, scripts, or application binaries.
Overwriting executable or configuration files can cause the affected service or application to crash or behave incorrectly, disrupting availability.
Because the scope is changed (S:C in the CVSS vector), files written by the exploit can affect components beyond the extracting process itself, including co-located services sharing the filesystem.
No confidential data is directly read by this exploit; the primary impact is unauthorized file writes and the resulting service disruption.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-41245, the advisory is re-checked on every ingest cycle so that a patched-image rebuild becomes available automatically the moment the junrar maintainers publish a remediated release. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which services are permitted to receive or extract user-supplied archives, egress filtering to prevent compromised extraction pipelines from writing to sensitive sibling paths, and feature-flag gating to disable RAR extraction workflows in affected images until the patch is available. For customers with auto-remediation enabled, once an upstream fix is published the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

See how HarborGuard automates this

Affected packages

junrar / junrar
< 7.5.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

References

Metrics

Get notified