CVE-2026-47261: Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An access-control bypass vulnerability affects Wasmtime, the WebAssembly runtime maintained by the Bytecode Alliance. A remote attacker with no authentication can exploit the vulnerability by opening a file through the WASI path_open or wasip2 descriptor.open-at interface using only the TRUNCATE flag, which sidesteps the FilePerms::WRITE check and allows file truncation even when the host embedding explicitly withholds write permission. Successful exploitation allows an attacker to truncate (destroy the contents of) files in a preopened directory, causing data loss and tampering in affected embeddings. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are published and indexed.
HarborGuard Coverage
Detection of CVE-2026-47261 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the wasmtime or wasmtime-wasi crate.
AvailableTriage is available using the CVSS v3.1 score of 7.5 (HIGH), weighted against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix versions have been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 24.0.9, 36.0.10, or 44.0.2 (or any later fix) are indexed. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable WASI interface is reachable over the network (AV:N), so an attacker must be able to send requests to the exposed service.
- AuthenticationNot required
No credentials or prior account are needed to trigger the vulnerable code path (PR:N).
- Victim interactionNot required
The attacker does not need any user or administrator to take any action for exploitation to succeed (UI:N).
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental setup are required (AC:L).
Blast Radius
- An attacker can truncate any file inside a preopened directory to zero bytes, permanently destroying its contents.
- Data held in configuration files, database files, or application state files within the preopened scope is at risk of being wiped.
- The integrity impact is high (I:H); there is no confidentiality or availability impact scored, meaning data cannot be read or the service crashed by this specific vector alone.
- Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ (without FilePerms::WRITE) are in scope; embeddings that grant FilePerms::all() are not affected.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of this advisory is active, and any image containing an affected version of the wasmtime or wasmtime-wasi crate will surface in scan results. Because no upstream fix is published yet, HarborGuard re-evaluates the advisory on every ingest cycle. The moment fix versions 24.0.9, 36.0.10, or 44.0.2 are indexed from upstream sources, a patched-image rebuild becomes available; for customers with auto-remediation enabled, the pipeline will trigger a rebuild, run regression tests, and open a PR against affected workloads without requiring manual steps. In the interim, compensating controls worth considering include applying network-policy isolation to restrict access to services that use affected wasmtime-wasi embeddings, auditing whether your embedding combines DirPerms::MUTATE with read-only FilePerms (the specific precondition for this bug), and gating access to preopened directories through an additional application-layer permission check until the upstream patch is available.
- bytecodealliance / wasmtime>= 37.0.0, < 44.0.2 · >= 25.0.0, < 36.0.10 · < 24.0.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
- https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.9
- https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.10
- https://github.com/bytecodealliance/wasmtime/releases/tag/v44.0.2
- https://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.0