CVE-2026-26099 – CVE-2026-26099 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2026-26099?

CVE-2026-26099 has a CVSS score of 5.5 (MEDIUM). CVE-2026-26099 is a path traversal vulnerability in Owl opds 2.2.0.4 that allows attackers to manipulate configuration file search paths via crafted network requests. This could enable loading malicious configuration files or executing arbitrary code. Systems running vulnerable versions of Owl opds are affected.

📋 TL;DR

CVE-2026-26099 is a path traversal vulnerability in Owl opds 2.2.0.4 that allows attackers to manipulate configuration file search paths via crafted network requests. This could enable loading malicious configuration files or executing arbitrary code. Systems running vulnerable versions of Owl opds are affected.

💻 Affected Systems

Products:

Owl opds

Versions: 2.2.0.4

Operating Systems: All platforms running Owl opds

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment of Owl opds 2.2.0.4 is vulnerable regardless of configuration.

📦 What is this software?

Opds Talon by Owlcyberdefense

View all CVEs affecting Opds Talon →

Opds Talon by Owlcyberdefense

View all CVEs affecting Opds Talon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Configuration manipulation leading to service disruption, privilege escalation, or data exposure.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions preventing path traversal.

🌐 Internet-Facing: HIGH - Network-accessible service vulnerable to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Still vulnerable to internal threats but attack surface reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Crafting malicious network requests to manipulate search paths is relatively straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26099

Restart Required: Yes

Instructions:

1. Monitor vendor for patch release 2. Apply patch when available 3. Restart Owl opds service

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Owl opds service to trusted sources only

iptables -A INPUT -p tcp --dport [owl_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [owl_port] -j DROP

File System Hardening

linux

Set strict permissions on configuration directories to prevent unauthorized writes

chmod 700 /path/to/owl/config
chown root:root /path/to/owl/config

🧯 If You Can't Patch

Isolate vulnerable systems in separate network segments with strict firewall rules
Implement application allowlisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check Owl opds version: grep -i version /path/to/owl/logs or check service output

Check Version:

owl-opds --version or check package manager: dpkg -l | grep owl-opds

Verify Fix Applied:

Verify version is updated beyond 2.2.0.4 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Unusual path traversal patterns in access logs
Failed configuration file load attempts
Unexpected process execution

Network Indicators:

Crafted HTTP requests with path traversal sequences
Unusual outbound connections from Owl opds process

SIEM Query:

source="owl_opds" AND (http_uri="*../*" OR http_uri="*..\\*")

📊 Metadata

CVE ID: CVE-2026-26099

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-427

Published: February 20, 2026

Last Updated: February 27, 2026

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26099 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26099, you might also want to check these: