CVE-2026-52755: Ghidra Path Traversal in Theme Import – HIGH Severity RCE Risk
Ghidra, the NSA's reverse-engineering and binary analysis framework, contains a vulnerability in its theme import feature that allows an attacker to write files anywhere on a user's system, not just in the theme directory. An attacker can craft a malicious theme file—distributed as a ZIP archive—with specially crafted filenames that escape the intended directory. When a user imports this theme, files get written to unexpected locations, potentially allowing code execution or modification of critical system files like SSH keys or shell initialization scripts. This requires the user to actively import the malicious theme, but once triggered, the impact is severe.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52755 is a path traversal vulnerability (CWE-22) in Ghidra versions prior to 12.0.4, affecting the theme import functionality. The vulnerability arises from insufficient validation of filenames within theme ZIP files during extraction. An attacker can embed path traversal sequences (e.g., '../../../') in archived filenames to cause files to be written outside the target theme directory. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector, no special privileges required, but user interaction needed; however, impact is high across confidentiality, integrity, and availability. The vulnerability enables arbitrary file write primitives, which can lead to arbitrary code execution through modification of executable startup files or credential theft via SSH key manipulation.
Business impact
The vulnerability poses a significant risk to security researchers, reverse engineers, and threat intelligence teams who rely on Ghidra daily. A compromised workstation running an outdated Ghidra version could allow an attacker to establish persistent access, exfiltrate source code or analysis work, or pivot to broader network compromise. Organizations using Ghidra in air-gapped or sensitive environments face elevated risk if users are socially engineered into importing malicious themes. The attack surface is non-trivial because it requires user interaction, but motivated attackers can integrate malicious themes into forums, threat intelligence feeds, or supply-chain distribution points targeting the reverse-engineering community.
Affected systems
Ghidra versions before 12.0.4 are affected. This includes all publicly released versions up to and including 12.0.3. The vulnerability is specific to the NSA's Ghidra distribution; custom builds or forks may have different patching status. Users on Linux, macOS, and Windows are all potentially affected if they use a vulnerable version and import untrusted theme files.
Exploitability
Exploitability is moderate to high in targeted scenarios. The vulnerability requires user interaction—specifically, the user must import a malicious theme file into Ghidra. There are no special privileges or authentication barriers. Attack distribution could leverage social engineering (e.g., "Download this community theme to improve your workflow") or compromise of theme repositories. Once a malicious theme is imported, the file write occurs automatically, making detection and mitigation by the end user difficult without deep technical knowledge. No public exploit code or active exploitation in the wild has been reported as of the advisory date.
Remediation
Upgrade Ghidra to version 12.0.4 or later immediately. There is no workaround for versions below 12.0.4 other than avoiding import of themes from untrusted sources. After patching, review system logs and file access patterns on machines that may have imported untrusted themes prior to the patch, particularly watching for suspicious modifications to ~/.bashrc, ~/.ssh/authorized_keys, shell profiles, or other startup files that could indicate previous exploitation.
Patch guidance
Download and install Ghidra 12.0.4 or later from the official NSA GitHub repository (https://github.com/NationalSecurityAgency/ghidra/releases). Verify the release signature and checksums to ensure authenticity. Organizations should test the patch in a non-production environment first, especially those with custom Ghidra configurations or plugins. Update package manager entries (if using Homebrew, apt, or other distribution channels) to ensure automated updates pull the patched version. Consider setting update policies to require Ghidra updates within a defined window (e.g., 2 weeks for HIGH severity).
Detection guidance
Monitor for suspicious file modifications in user home directories, particularly in ~/.bashrc, ~/.bash_profile, ~/.ssh/, or other startup/credential storage locations during or shortly after Ghidra theme imports. File integrity monitoring tools or endpoint detection and response (EDR) solutions can flag unexpected writes outside theme directories. Review Ghidra process logs and operating system audit logs (auditd on Linux, File Auditing on Windows) for theme import operations followed by file writes to unexpected paths. Hunt for ZIP extraction activity by Ghidra followed by write syscalls to paths containing '../' or similar traversal sequences in the original filename. Check for persistence indicators (newly added cron jobs, SSH public keys, shell profile modifications) on systems where theme imports occurred.
Why prioritize this
This vulnerability merits immediate patching despite moderate exploitability because: (1) the impact is high—arbitrary file write enables code execution and persistent access; (2) Ghidra is used extensively by security teams and threat intelligence units, making them targets for supply-chain or social engineering attacks; (3) the user interaction barrier is low in targeted scenarios where themes are distributed through community channels; (4) previously compromised systems may show subtle signs of tampering with startup files or SSH keys that are hard to detect without forensic analysis. Organizations should prioritize patching critical/tier-1 research and analyst workstations first.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) correctly reflects a local vulnerability with no privilege escalation needed but requiring user interaction. The vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates: Local Attack Vector (Ghidra runs locally); Low Attack Complexity (path traversal is straightforward to exploit); No Privileges required; User Interaction required (theme import); Unchanged Scope; and High impact on all three CIA pillars. In real-world risk modeling, this should be treated as slightly more urgent than the score suggests because the attack surface (security researcher population) is high-value and concentrated, and because file-write primitives are proximate to code execution in most desktop environments.
Frequently asked questions
Do I need to import themes from untrusted sources to be at risk?
Yes, currently. The vulnerability only triggers when a user explicitly imports a theme file into Ghidra. It does not exploit the application through normal reverse-engineering workflows. However, social engineering can make importing a 'recommended community theme' seem legitimate, and themes could be planted in public repositories or discussion forums targeting researchers.
What happens if an attacker modifies my SSH authorized_keys file?
An attacker could add their own public key to your ~/.ssh/authorized_keys, granting them SSH access to your account without needing your password. This is a common persistence mechanism. Once patched, check the file's contents and modification time (stat ~/.ssh/authorized_keys) to see if it was altered while you were using a vulnerable Ghidra version.
Is Ghidra 12.0.3 safe if I don't import themes?
If you do not import any theme files, the attack surface is eliminated. However, this is not a reliable mitigation because users may forget, or themes may be bundled with other content. The only safe approach is to upgrade to 12.0.4 or later.
Can I audit which themes I've imported in the past?
Ghidra stores theme files in a configuration directory (usually ~/.ghidra/[version]/themes on Linux/macOS, or %APPDATA%\Ghidra on Windows). Check the timestamps and contents of those directories to see what was imported. If you find suspicious files, consider running a filesystem integrity check or antivirus scan to detect any placed backdoors or persistence mechanisms.
This analysis is provided for informational purposes and reflects the state of the vulnerability as of the published and modified dates. SEC.co does not provide legal advice or guarantee the accuracy of third-party advisories or patch releases. Organizations should verify all patch versions and compatibility with their environment against official vendor releases before deployment. Exploit code has not been provided, and this document is not intended as weaponization guidance. Users should always test patches in non-production environments and maintain backups before applying critical updates. References to file paths and configurations are illustrative and may vary by operating system or Ghidra installation type. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-52752HIGHGhidra Path Traversal in Extension Installer (CVSS 7.8)
- CVE-2026-49497LOWGhidra Path Traversal in Debug Symbol Resolution
- CVE-2026-52756MEDIUMGhidra IsfServer Path Traversal Vulnerability
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide