CVE-2026-10621: Collibra Agent Path Traversal in Restore Handler – Arbitrary File Write Vulnerability
Collibra Agent contains a path traversal vulnerability in its restore handler that allows attackers to write arbitrary files to a system by uploading a malicious ZIP archive. The vulnerability stems from insufficient validation of file paths during ZIP extraction, enabling an attacker to escape the intended extraction directory and place files anywhere on the system. No authentication is required to exploit this flaw.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- —
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10621 is a path traversal vulnerability affecting Collibra Agent's restore functionality. The vulnerability exists because the application fails to properly validate and canonicalize file paths during ZIP archive extraction. An attacker can craft a ZIP file containing entries with path traversal sequences (such as ../ or absolute paths) that, when processed by the restore handler, extract files outside the designated extraction directory. The CVSS 3.1 score of 7.5 reflects high integrity impact with network accessibility and no authentication requirement (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Business impact
This vulnerability enables attackers to overwrite critical system files, application configuration files, or inject malicious code into executable locations without authentication. Depending on the permissions of the Collibra Agent process and the target system's configuration, successful exploitation could lead to application compromise, code execution, or lateral movement within the infrastructure. Organizations relying on Collibra for data governance should consider this a priority given the direct path to file system manipulation.
Affected systems
Collibra Agent is affected. The specific versions vulnerable to this flaw should be verified against Collibra's official security advisory, as version information is not included in this CVE record. Organizations running Collibra Agent for restore operations should inventory their deployments and confirm which versions are installed.
Exploitability
This vulnerability has a low attack complexity and requires no authentication or user interaction. An attacker can send a crafted ZIP archive to the restore handler over the network and achieve arbitrary file write. However, exploitation impact depends on the process privileges and file system permissions of the Collibra Agent service. The attack is straightforward to execute with basic ZIP manipulation tools, making it attractive to both opportunistic and targeted attackers.
Remediation
Apply the security patch released by Collibra for CVE-2026-10621. Organizations should verify patch availability through Collibra's security advisories and update all instances of Collibra Agent in their environment. Until patching is complete, consider restricting network access to the restore handler endpoint and reviewing access controls to the service.
Patch guidance
Consult Collibra's official security advisory for the specific patched version numbers and update procedures. Test patches in a non-production environment before deployment to ensure compatibility with your data governance workflows. Given the network-accessible nature of this flaw, prioritize patching in externally exposed instances first, then move to internal deployments.
Detection guidance
Monitor for suspicious ZIP uploads to Collibra Agent restore endpoints, particularly those containing path traversal patterns (../, absolute paths, or unusual directory structures). Review file system access logs for unexpected file creation or modification outside the normal Collibra Agent directories. Enable detailed logging on the restore handler if available. Look for restore operations that generate files in system directories or executable paths.
Why prioritize this
The combination of network accessibility, zero authentication requirement, and high integrity impact makes this vulnerability a priority. While no active exploitation has been added to the KEV catalog, the ease of crafting a malicious ZIP and the potential for code execution or critical file overwrite warrant immediate attention. Organizations using Collibra for data governance should patch promptly.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects the severity: network vector, low complexity, no privileges or user interaction required, and high integrity impact. The lack of confidentiality or availability impact prevents a critical rating, but the unimpeded ability to write arbitrary files to the file system justifies the HIGH designation. Real-world risk depends on process permissions and network exposure.
Frequently asked questions
Can this vulnerability lead to code execution?
Yes, if an attacker writes to executable directories or application startup paths, arbitrary file write can lead to code execution. The severity depends on the permissions of the Collibra Agent process and whether the attacker can overwrite code that will be executed.
Is this vulnerability currently being exploited in the wild?
The vulnerability has not been added to CISA's KEV catalog as of the last modification date (2026-06-17), suggesting active exploitation in the wild has not yet been confirmed. However, organizations should not assume this indicates low risk; patch as soon as possible.
Do I need authentication to exploit this vulnerability?
No. The vulnerability requires no authentication, user interaction, or special privileges to exploit. Any network-capable attacker can send a malicious ZIP to the restore handler.
What should I do if I cannot patch immediately?
Implement network-level access controls to restrict who can reach the Collibra Agent restore endpoint. Review and tighten file system permissions on the host to limit damage from arbitrary file write. Monitor restore handler logs closely for suspicious activity.
This analysis is based on the CVE record and CVSS vector as of 2026-06-17. Specific affected versions, patch version numbers, and detailed remediation steps should be verified against Collibra's official security advisories. This summary does not constitute legal or compliance advice; organizations should consult their security teams and follow their incident response procedures. No proof-of-concept or exploit code is provided. Risk assessments should account for your specific network architecture, access controls, and Collibra deployment configuration. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability