{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41082", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T17:32:39.584Z", "datePublished": "2026-04-16T17:32:40.068Z", "dateUpdated": "2026-04-16T23:00:36.235Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:opam/opam-format", "product": "opam", "vendor": "OCaml", "versions": [{"lessThan": "2.5.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-24", "description": "CWE-24 Path Traversal: '../filedir'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T23:00:36.235Z"}, "references": [{"url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}, {"url": "https://github.com/ocaml/opam/pull/6897"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T18:37:03.655616Z", "id": "CVE-2026-41082", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:37:08.983Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41082", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T18:37:03.655616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T18:37:06.220Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OCaml", "product": "opam", "versions": [{"status": "affected", "version": "0", "lessThan": "2.5.1", "versionType": "semver"}], "packageURL": "pkg:opam/opam-format", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}, {"url": "https://github.com/ocaml/opam/pull/6897"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-24", "description": "CWE-24 Path Traversal: '../filedir'"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T23:00:36.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41082", "state": "PUBLISHED", "dateUpdated": "2026-04-16T23:00:36.235Z", "dateReserved": "2026-04-16T17:32:39.584Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T17:32:40.068Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory."}], "id": "CVE-2026-41082", "lastModified": "2026-04-16T18:16:45.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T18:16:45.980", "references": [{"source": "cve@mitre.org", "url": "https://github.com/ocaml/opam/pull/6897"}, {"source": "cve@mitre.org", "url": "https://github.com/ocaml/opam/releases/tag/2.5.1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-24"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.1)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "opam", "source": "cna", "vendor": "OCaml"}, "product": "ocaml", "vendor": "ocaml"}], "analysis": {"en": {"generated_at": "2026-04-17T02:54:30.052129+00:00", "value": {"mitigation_remediation": ["Apply the latest opam release 2.5.1 or newer, which removes the directory traversal flaw.", "Limit opam to trusted package sources or use opam's \"--trusted\" flag when installing very carefully vetted packages.", "Implement file system or opam environment restrictions (e.g., chroot or sandbox) to isolate installation directories when working with untrusted packages."], "summary": {"action": "Immediate Patch", "impact": "Path traversal enabling arbitrary file modification"}, "threat_synthesis": {"affected_systems": "The affected product is OCaml's opam, with all releases preceding 2.5.1 impacted. Packages that contain a malicious \".install\" field within these versions pose the risk.\n", "description_and_impact": "In prior to version 2.5.1 of OCaml's opam package manager, the installer script field named \".install\" allows a package author to specify a destination path for an installed file. A malicious package can insert the string \"../\" into this path, causing opam to write the file outside the intended package directory and potentially into system\u2011wide locations. The effect is unauthorized modification of files that may lead to privilege escalation, configuration tampering, or denial of service if critical files are overwritten.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.3, indicating high severity, and is not currently listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is not available, but the lack of availability does not mitigate the inherent risk. The likely attack vector is misuse of a malicious package either through a local repository or by convincing a user to install a compromised package. Successful exploitation requires the ability to supply or run an opam install command with the tainted package."}}}}, "created": "2026-04-17T03:00:08.455733+00:00", "title": "Path Traversal in opam .install Files Enables Arbitrary File Modification", "updated": "2026-04-17T08:00:10.885162+00:00", "vendors": ["ocaml", "ocaml$PRODUCT$ocaml"]}