CWE•Base•Stable•20 recent CVEs
CWE-426Untrusted Search Path
Description
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
[object Object]
Common consequences
- Integrity,Confidentiality,Availability,Access Control→Gain Privileges or Assume Identity,Execute Unauthorized Code or CommandsThere is the potential for arbitrary code execution with privileges of the vulnerable program.
- Availability→DoS: Crash, Exit, or RestartThe program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.
- Confidentiality→Read Files or DirectoriesThe program could send the output of unauthorized files to the attacker.
Potential mitigations
- Architecture and Design,ImplementationHard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
- ImplementationWhen invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code ref
- ImplementationRemove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
- ImplementationCheck your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
- ImplementationUse other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-114018.02026-06-05CVE-2026-114008.02026-06-05CVE-2026-444779.92026-05-28CVE-2026-457219.02026-05-26CVE-2026-457729.82026-05-15CVE-2026-309067.82026-05-13CVE-2026-02512026-05-13CVE-2026-428306.52026-05-12CVE-2026-73094.32026-04-28CVE-2026-353687.82026-04-22CVE-2026-64217.02026-04-17CVE-2026-272908.62026-04-14CVE-2026-402878.42026-04-14CVE-2026-401567.82026-04-10CVE-2026-398837.02026-04-08CVE-2025-396667.32026-04-07CVE-2022-49877.32026-04-03CVE-2026-37807.32026-04-01CVE-2026-49627.02026-03-27CVE-2026-45467.02026-03-22