K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.

Project Subscriptions

Vendors Products
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxr7-mqhw-9p98 K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared K3s
K3s k3s
Vendors & Products K3s
K3s k3s

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.
Title K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:42:33.835Z

Reserved: 2026-06-12T16:25:43.085Z

Link: CVE-2026-54250

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:43.600Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:15:16Z

Weaknesses