CVE Tools
Sign in

CVE-2026-47261

Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Published: Jun 15, 2026Updated: Jun 17, 2026 Sources: CVE List NVDCWE-284
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.5%
Top 61.2%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Workaround Only

Description

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-284NVD-CWE-noinfo

Affected Products

wasmtimebytecodealliance
LibraryLibrary
OSS Libraries / generic-library
bytecodeallianceoss-projectOSS Libraries

Exploitability

Workaround Available

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
github.com
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.9
github.com
https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.10
github.com
and 2 more references View all →

Timeline

Published
Jun 15, 2026
Last Updated
Jun 17, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-47261 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows