How is CVE-2026-44973 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; the attacker sends crafted path requests remotely. Authentication (required): A valid account is required, but any low-privilege account is sufficient to attempt path traversal. Victim interaction (not-required): No user action or social engineering is needed; the attacker interacts directly with the service. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-44973?

Reads files from arbitrary filesystem locations outside the intended base directory, including application secrets, configuration files, and credentials stored on the host. Writes or overwrites files at arbitrary filesystem paths, allowing modification of application data, configuration, or code accessible to the process. Applications that rely on go-billy for directory isolation lose that boundary entirely, widening the exposure to any path the process user can access.

Back to search

HIGHCVE-2026-44973Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-44973: Billy: Path traversal vulnerabilities

Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Path traversal vulnerabilities affect go-billy, a filesystem abstraction library for Go used in applications that rely on it for directory isolation. The vulnerabilities are reachable over the network by any authenticated user with a low-privilege account, and require no victim interaction. Successful exploitation allows an attacker to read files and write files outside the intended base directory, escaping the filesystem boundary the application assumes is in place. HarborGuard tracks this CVE and will make a patched-image rebuild available at version 5.9.0 the moment a fixed upstream release is confirmed as resolvable in affected images.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-44973 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that vendor go-billy as a dependency. Any image carrying a go-billy version below 5.9.0 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine routing priority. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been confirmed as published at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at go-billy 5.9.0 the moment the upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; the attacker sends crafted path requests remotely.
AuthenticationRequired
A valid account is required, but any low-privilege account is sufficient to attempt path traversal.
Victim interactionNot required
No user action or social engineering is needed; the attacker interacts directly with the service.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

Reads files from arbitrary filesystem locations outside the intended base directory, including application secrets, configuration files, and credentials stored on the host.
Writes or overwrites files at arbitrary filesystem paths, allowing modification of application data, configuration, or code accessible to the process.
Applications that rely on go-billy for directory isolation lose that boundary entirely, widening the exposure to any path the process user can access.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all images carrying go-billy below 5.9.0 within minutes of each scan cycle. Because no upstream fix has been confirmed as packaged at time of publication, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment 5.9.0 is resolvable in affected images. For customers with auto-remediation enabled, that event triggers an automatic rebuild, regression test run, and PR opened against affected workloads. While awaiting the fix, compensating controls worth considering include network-policy rules that restrict which clients can reach services backed by go-billy, egress filtering to limit what the process can access if traversal succeeds, and feature-flag gating of any application paths that accept user-supplied file or directory names.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

go-git / go-billy
< 5.9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/go-git/go-billy/security/advisories/GHSA-qw64-3x98-g7q2