CVE-2026-44973: Go-Billy Path Traversal Vulnerability (v5.9.0 Patch Available)
Billy is a Go library that provides an abstraction layer for filesystem operations. Versions before 5.9.0 contain path traversal vulnerabilities that allow attackers with authenticated access to bypass directory restrictions using specially crafted paths (such as those containing ".." sequences). An attacker could potentially read or modify files outside the intended directory boundaries. Applications that depend on Billy for filesystem isolation are at risk of exposing sensitive files on the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44973 addresses multiple path traversal flaws (CWE-22) in go-billy's filesystem abstraction implementations. The root cause is insufficient path sanitization and boundary enforcement across different built-in implementations. Crafted paths exploiting directory traversal sequences can escape the intended base directories. The vulnerability affects scenarios where Billy is relied upon for directory isolation guarantees. The inconsistent enforcement across implementations means some code paths may be more vulnerable than others depending on which abstraction is in use.
Business impact
Organizations using go-billy in backend services, data access layers, or multi-tenant systems face data exposure and integrity risks. An authenticated user or service could access or modify files outside their intended scope, potentially exposing secrets, configuration files, or other sensitive data. For applications serving multiple customers or with privilege separation requirements, this represents a confidentiality and integrity violation. The impact is amplified in systems where path-based access control is a primary security boundary.
Affected systems
Any application written in Go that incorporates go-billy for filesystem abstraction prior to version 5.9.0 is potentially affected. This includes applications using Billy for sandboxed or isolated filesystem operations, virtual filesystems, or any multi-tenant scenario relying on path-based access controls. The exact scope of impact depends on how each application uses Billy—systems that leverage it for strict isolation between users or data categories face higher risk.
Exploitability
Exploitation requires authenticated access (reflected in the CVSS vector PR:L), which means the attacker must already have some level of application access. From that position, crafting malicious paths to traverse directories is straightforward and requires no special tools or user interaction. Once authenticated, an attacker can probe directory structures and construct paths designed to escape restrictions, making this moderately easy to exploit for anyone with valid credentials. Network accessibility (AV:N) means remote exploitation is possible if the application is exposed over a network.
Remediation
Upgrade go-billy to version 5.9.0 or later. Verify the upgrade by checking your Go module dependencies (go.mod) and running a test build to confirm the new version is in use. After patching, redeploy affected services. Additionally, review your application's trust model—Billy was not originally designed to provide a strong security boundary, so relying solely on it for privilege separation should be reconsidered. Implement additional validation of user-supplied paths and apply principle of least privilege to filesystem operations.
Patch guidance
Update your go.mod file to require go-billy version 5.9.0 or higher. Run 'go get -u github.com/go-billy/billy/v5' (or the appropriate module path for your version) to pull the patched release. Run 'go mod tidy' and rebuild your application. Test that your application functions correctly with the new version, paying particular attention to any custom filesystem implementations or path handling logic. Deploy to all affected environments and restart services.
Detection guidance
Audit your Go module dependencies to identify which services or binaries use go-billy versions prior to 5.9.0. Use 'go list -m all' in your codebase to check current versions. Monitor application logs for suspicious filesystem access patterns, particularly sequences with '..' or unusual paths attempting to escape expected directories. If you suspect exploitation, examine filesystem access logs and user actions around sensitive file locations. Consider implementing runtime monitoring for filesystem calls that traverse outside expected boundaries.
Why prioritize this
This vulnerability merits urgent attention because it enables authenticated attackers to read and write arbitrary files on the system, affecting both confidentiality and integrity. The CVSS score of 8.1 (HIGH) reflects the combination of network accessibility and high-impact access control bypass. While authentication is required, the ease of exploitation and the likelihood of Billy being embedded in critical data-access paths make this a significant risk. Organizations should prioritize patching this across all affected services.
Risk score, explained
The score of 8.1 reflects a HIGH severity due to the attack vector being network-accessible (AV:N), low attack complexity (AC:L), and high impact on confidentiality (C:H) and integrity (I:H). The requirement for low privilege (PR:L) prevents a perfect score, but does not substantially reduce the practical risk, as many services run with authenticated user contexts. The lack of impact on availability (A:N) is correct—path traversal does not inherently cause denial of service, though data destruction is possible.
Frequently asked questions
Do I need to update immediately if I use go-billy?
If your application exposes network access to any service using go-billy before 5.9.0 and users can supply paths or trigger filesystem operations, yes—prioritize this update. If Billy is used only in offline tooling or internal utilities with no network exposure, you have more flexibility, but should still plan an update within your standard patch cycle.
Can this be exploited without authentication?
No. The CVSS vector shows PR:L (low privilege required), meaning an attacker must already have some level of authenticated access to the application. This is not a zero-auth remote code execution vulnerability, but it is still dangerous for multi-tenant systems or privilege-separated architectures.
Will updating go-billy break my application?
Version 5.9.0 is a patch release designed to fix security issues without breaking the public API. Most applications should update without code changes. However, test the upgrade in a staging environment first, particularly if you have custom path handling or non-standard uses of the filesystem abstraction.
Does go-billy provide strong security boundaries?
No. Go-billy is a convenience abstraction, not a cryptographic or sandboxing mechanism. While 5.9.0 fixes path traversal inconsistencies, applications requiring strict filesystem isolation should not rely on go-billy alone. Combine it with OS-level access controls, containerization, or privilege separation for defense in depth.
This analysis is provided for informational purposes based on the published CVE record and vendor advisory. The information herein is not guaranteed to be error-free or complete. Organizations should verify all patch versions, affected products, and remediation steps against official vendor documentation before implementation. No liability is assumed for decisions made based on this analysis. Always test patches in a non-production environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-32847HIGHDeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-35082HIGHMBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability
- CVE-2026-39276HIGHEmlog Pro v2.6.9 Path Traversal Remote Code Execution
- CVE-2026-43624HIGHF5-TTS Path Traversal Vulnerability (CVSS 8.2)
- CVE-2026-44594HIGHLocal File Inclusion in esm.sh CDN – HIGH Severity Information Disclosure