CVE-2026-23986 – CVE-2026-23986 is a path traversal vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2026-23986 is a path traversal vulnerability in Copier project template tool that allows malicious templates to write files outside the intended destination directory. This affects users who generate projects from untrusted templates using Copier versions before 9.11.2. The vulnerability exploits symlink handling with _preserve_symlinks: true to bypass intended security boundaries.

💻 Affected Systems

Products:

Copier

Versions: All versions prior to 9.11.2

Operating Systems: All platforms where Copier runs (Linux, macOS, Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using templates with _preserve_symlinks: true feature. Only affects users processing templates from untrusted sources.

📦 What is this software?

Copier by Copier Org

View all CVEs affecting Copier →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file overwrite, including critical system files, configuration files, or user data, potentially leading to privilege escalation or data destruction.

🟠

Likely Case

Malicious template overwrites user files, configuration files, or project files, causing data loss, service disruption, or unauthorized code execution.

🟢

If Mitigated

Limited impact to files within user's write permissions, potentially causing project corruption but contained to user space.

🌐 Internet-Facing: MEDIUM - Requires user to process malicious template, but templates can be distributed via public repositories or package managers.

🏢 Internal Only: MEDIUM - Internal developers using untrusted templates or templates from external sources remain vulnerable.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires creating a malicious template with specific symlink configuration. User must process the template, which requires some social engineering or supply chain compromise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.11.2

Vendor Advisory: https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh

Restart Required: No

Instructions:

1. Update Copier using pip: pip install --upgrade copier==9.11.2
2. Verify installation: copier --version
3. No restart required as Copier is a CLI tool.

🔧 Temporary Workarounds

Avoid untrusted templates

all

Only use templates from trusted sources and verify template contents before processing.

Disable symlink preservation

all

Avoid using _preserve_symlinks: true in template configurations.

🧯 If You Can't Patch

Restrict Copier usage to trusted templates only from verified sources
Run Copier in isolated containers or sandboxes with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check Copier version: copier --version. If version is below 9.11.2, system is vulnerable.

Check Version:

copier --version

Verify Fix Applied:

Run: copier --version. Verify output shows 9.11.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations outside expected project directories
Copier processing templates with symlink configurations

Network Indicators:

Downloads of Copier templates from untrusted sources

SIEM Query:

process_name:"copier" AND (file_write_path NOT CONTAINS "/expected/project/path" OR file_write_path CONTAINS "/etc/" OR file_write_path CONTAINS "/home/")

📊 Metadata

CVE ID: CVE-2026-23986

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-61

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: January 21, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 Patch
https://github.com/copier-org/copier/releases/tag/v9.11.2 Product,Release Notes
https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23986, you might also want to check these: