CVE-2026-49233: Routinator Path Traversal Vulnerability – Urgent BGP Security Risk
Routinator, a critical tool for validating BGP route origins, contains a path traversal vulnerability in how it processes rsync module names. An attacker can craft a malicious rsync URI with directory traversal sequences (like ..) in the module component, allowing unauthorized access to files outside the intended cache directory. This could expose the entire rsync cache to an unauthenticated attacker over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49233 exploits insufficient input validation in Routinator's rsync URI parser. The vulnerability exists in the module component of rsync URIs, which Routinator uses to construct file system paths for its cache. By injecting path traversal sequences (..) into the module name, an attacker can escape the intended cache directory and access arbitrary files within the Routinator rsync cache. This is a classic CWE-22 path traversal flaw affecting a networked daemon without authentication requirements.
Business impact
For organizations running Routinator to validate BGP route objects, this vulnerability creates a significant data exposure risk. An attacker gaining read access to the rsync cache could obtain sensitive BGP operational data, including route object details that may reveal network topology or infrastructure configuration. The lack of authentication requirement means any remote attacker can attempt exploitation. The impact is limited to confidentiality (read-only access), but the scope includes the entire cache, making this a material information disclosure threat to network operations teams.
Affected systems
NLnet Labs Routinator is affected. The vulnerability applies to network environments where Routinator is deployed and exposed to rsync requests. Risk is highest for publicly accessible Routinator instances or those reachable from untrusted networks. Determine your installed version against vendor advisories to confirm whether patching is required.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no user interaction, and no special network positioning—any remote attacker can send a crafted rsync URI to trigger the flaw. The CVSS score of 7.5 (HIGH) reflects the network accessibility and ease of exploitation, though the impact is limited to information disclosure without integrity or availability consequences.
Remediation
Apply the security patch released by NLnet Labs for Routinator as soon as possible. Verify against the official NLnet Labs advisory for the specific patched version applicable to your deployment. In environments where immediate patching is not feasible, restrict network access to Routinator's rsync interface using firewall rules, limiting exposure to trusted networks only.
Patch guidance
Consult the NLnet Labs Routinator security advisory for the specific version that resolves CVE-2026-49233. Test the patched version in a staging environment before production rollout to ensure compatibility with your BGP validation workflows. Given the HIGH severity and ease of exploitation, prioritize deployment within your standard security patching cycle.
Detection guidance
Monitor Routinator logs for rsync requests containing path traversal patterns (.. sequences) in the module component of URIs. Alert on any failed file access attempts outside the intended cache directory. Network-based detection can identify suspicious rsync traffic with encoded or obfuscated traversal sequences. Baseline normal Routinator rsync module names in your environment and flag deviations.
Why prioritize this
This HIGH-severity vulnerability merits urgent attention because it combines unauthenticated remote access, trivial exploitation, and a publicly disclosed flaw affecting a critical BGP validation tool. Although impact is limited to information disclosure, the confidentiality exposure of the entire rsync cache poses operational and potential competitive risk. Rapid patching significantly reduces your attack surface.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: network-based attack vector requiring no privileges or user interaction, high confidentiality impact affecting the entire cache, but no integrity or availability impact. The score does not account for business context (BGP data sensitivity) or environmental factors (network exposure), which security teams should evaluate independently.
Frequently asked questions
What is Routinator and why does it matter?
Routinator is NLnet Labs' open-source validator for RPKI (Resource Public Key Infrastructure) route objects, critical for BGP route origin validation. It processes rsync feeds to maintain a cache of validated route objects used to prevent BGP hijacking. Compromise of its cache undermines BGP security.
Can an attacker modify or delete cache files, or is this read-only?
This vulnerability enables read-only access (confidentiality impact). An attacker cannot modify or delete cache data. However, full read access to the rsync cache may expose BGP operational details that could inform further attacks.
Do I need this vulnerability to be added to CISA's KEV catalog to prioritize it?
This vulnerability is not currently on the CISA Known Exploited Vulnerabilities catalog, but its high CVSS score, lack of authentication requirement, and network-based exploitability make it a high priority regardless of KEV status. Do not delay patching based on KEV inclusion.
What does 'module component' mean in an rsync URI?
An rsync URI follows the format rsync://host/module/path. The module is the exported rsync share name configured on the rsync server. In Routinator, this module name is used to construct the local file path where cache data is stored. The vulnerability allows .. sequences in the module name to traverse outside the intended directory.
This analysis is provided for informational purposes and reflects publicly disclosed vulnerability details as of the publication date. Security teams must verify all patch versions, affected product versions, and vendor guidance against official NLnet Labs advisories before deployment. Testing in non-production environments is strongly recommended. This summary does not constitute professional security advice; consult qualified security professionals for your specific infrastructure and risk profile. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write
- CVE-2026-22926HIGHOmnissa Workspace ONE Assist macOS Local Privilege Escalation