CVE-2026-26960 – CVE-2026-26960 is a path traversal vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2026-26960 is a path traversal vulnerability in node-tar that allows attackers to create hardlinks pointing outside the extraction directory when processing malicious archives. This enables arbitrary file read/write operations as the extracting user, bypassing path protection mechanisms. All applications using node-tar versions 7.5.7 and below with default options are affected.

💻 Affected Systems

Products:

node-tar

Versions: 7.5.7 and below

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects default options; custom configurations with strict path validation may be protected.

📦 What is this software?

Tar by Isaacs

View all CVEs affecting Tar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file read/write leading to privilege escalation, data exfiltration, or system destruction.

🟠

Likely Case

Unauthorized access to sensitive files, modification of configuration files, or installation of backdoors.

🟢

If Mitigated

Limited impact if extraction runs with minimal privileges and filesystem permissions restrict access to critical files.

🌐 Internet-Facing: HIGH - Any service accepting user-uploaded tar archives is vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal systems processing archives from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only archive upload capability; proof-of-concept available in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.8

Vendor Advisory: https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx

Restart Required: No

Instructions:

1. Update node-tar: npm update tar
2. Verify version: npm list tar
3. Ensure version is 7.5.8 or higher
4. Test archive extraction functionality

🔧 Temporary Workarounds

Use custom extraction options

all

Configure tar extraction with strict path validation to prevent hardlink creation outside extraction root

const tar = require('tar');
tar.extract({
  cwd: '/safe/path',
  filter: (path, entry) => {
    const resolved = path.resolve(entry.path);
    return resolved.startsWith('/safe/path');
  }
});

🧯 If You Can't Patch

Run tar extraction processes with minimal filesystem permissions using chroot or container isolation
Implement strict input validation to reject archives from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list tar | grep tar@

Check Version:

npm list tar | grep tar@

Verify Fix Applied:

Confirm version is 7.5.8+: npm list tar | grep -E 'tar@(7\.5\.(8|[9-9]\d*)|[8-9]|\d{2,})\.'

📡 Detection & Monitoring

Log Indicators:

Unexpected hardlink creation during archive extraction
File access errors for paths outside extraction directory

Network Indicators:

Large archive uploads followed by unusual file access patterns

SIEM Query:

source="application.log" AND "tar.extract" AND ("hardlink" OR "symlink") AND NOT path="*expected/path*"

📊 Metadata

CVE ID: CVE-2026-26960

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26960, you might also want to check these: