Bug 2497377 (CVE-2026-58203)
| Summary: | CVE-2026-58203 pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, dfreiber, dkeler, drow, dschmidt, dtrifiro, ebourniv, ehelms, ggainey, hasun, ilpinto, jburrell, jfula, jlanda, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kshier, lgallett, ltomasbo, mbarnett, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, osousa, pcreech, prwatson, ptisnovs, rbryant, rchan, rjohnson, sbunciak, sdoran, simaishi, smallamp, stcannon, suppawar, syedriko, teagle, thason, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane, ykashtan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the `pydantic-settings` component. When configured to handle nested secrets, this vulnerability allows an attacker to read sensitive files from outside the designated secrets directory. By placing a specially crafted symbolic link within the secrets directory, an attacker can trick the system into accessing unauthorized files. This issue also bypasses a safeguard designed to limit the size of loaded secrets, potentially leading to unexpected resource usage. This vulnerability requires an attacker to have the ability to modify entries within the secrets directory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-07-06 16:02:07 UTC
|