How is CVE-2026-49233 exploited?

Network reachability (required): The attacker must be able to reach the Routinator service over the network by serving a rogue rsync URI from a reachable rsync server. Authentication (not-required): No credentials or account are needed; the attack is triggered through the rsync URI handling logic without prior authentication. Victim interaction (not-required): No user interaction is required; Routinator processes the malicious URI automatically as part of its normal cache synchronization. Attack complexity (info): The base exploit path is reliable and condition-free, though the CVSS AT:P token notes that specific deployment conditions (such as a reachable rogue rsync endpoint) must be in place.

What is the impact of CVE-2026-49233?

Attacker writes or overwrites files at arbitrary paths on the host filesystem, escaping the intended Routinator cache directory boundary. Attacker corrupts or replaces cached RPKI (Resource Public Key Infrastructure) data, poisoning the Route Origin Validation feed that downstream BGP routers may rely on. Attacker disrupts availability of the Routinator cache service, causing validation failures or service outages for dependent routing infrastructure. Attacker gains persistent influence over cache contents across repeated sync cycles until the path traversal is closed.

Back to search

HIGHCVE-2026-49233Published 2026-06-08Modified 2026-06-08CNA NLnet Labs

CVE-2026-49233: Routinator cache path traversal using rogue rsync URIs

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

CVSS v4.0: 8.3
Severity: HIGH
Fixed in: 0.15.2
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in NLnet Labs Routinator allows an attacker to manipulate the module component of rsync URIs, causing Routinator to write or overwrite files outside the intended cache directory. The vulnerability is reachable over the network with no authentication required, as derived from the CVSS vector. Successful exploitation lets an attacker tamper with the Routinator rsync cache at arbitrary paths, and can also disrupt the availability of the cache service. A patched-image rebuild at version 0.15.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from Routinator base layers.

Available

Triage

Triage is available using the CVSS v4.0 score of 8.3 (HIGH), weighted against each customer organization's compliance policy, with findings routed to the appropriate team inbox configured within that environment.

Available

Patch

A patched-image rebuild at Routinator 0.15.2 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Routinator service over the network by serving a rogue rsync URI from a reachable rsync server.
AuthenticationNot required
No credentials or account are needed; the attack is triggered through the rsync URI handling logic without prior authentication.
Victim interactionNot required
No user interaction is required; Routinator processes the malicious URI automatically as part of its normal cache synchronization.
Attack complexityDetail
The base exploit path is reliable and condition-free, though the CVSS AT:P token notes that specific deployment conditions (such as a reachable rogue rsync endpoint) must be in place.

Blast Radius

Attacker writes or overwrites files at arbitrary paths on the host filesystem, escaping the intended Routinator cache directory boundary.
Attacker corrupts or replaces cached RPKI (Resource Public Key Infrastructure) data, poisoning the Route Origin Validation feed that downstream BGP routers may rely on.
Attacker disrupts availability of the Routinator cache service, causing validation failures or service outages for dependent routing infrastructure.
Attacker gains persistent influence over cache contents across repeated sync cycles until the path traversal is closed.

How HarborGuard Handles This

Available on HarborGuard: images built on affected Routinator versions are matched against this CVE within minutes of advisory ingestion, with findings surfaced at CVSS 8.3 HIGH priority. A rebuild targeting the fixed version 0.15.2 is made available as soon as the advisory is ingested. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued in the team inbox with fix-version details attached. As a compensating control before patching, network policy rules that restrict which rsync endpoints Routinator is permitted to contact can limit exposure to rogue URI injection.

See how HarborGuard automates this

Fix available

0.15.2

Affected packages

NLnet Labs / Routinator
Fixed in 0.15.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

nlnetlabs.nl

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available