eastbaycyber

CVE-2026-5229: OPA path traversal in package_index

CVE explainers 6 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-15
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

CVE-2026-5229 is a high-severity Open Policy Agent (OPA) vulnerability affecting v1.4.0 and earlier. The flaw is a path traversal issue in the package_index module during tar.gz extraction, and it is fixed in v1.4.1. In practice, the risk matters most when OPA is configured to pull packages or bundles from remote registries, especially if those sources are not fully trusted.

If you manage policy infrastructure, treat this as a supply-chain security problem rather than a generic internet-facing RCE scenario. A crafted archive may write files into unintended locations inside OPA’s package installation area and potentially influence policy or data loading. For related hardening guidance, see our internal resources on supply chain security basics and how to secure open policy agent deployments.

Vulnerability at a Glance

Field Value
CVE ID CVE-2026-5229
CVSS 7.5 (High) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack vector Network
Auth required None
Patch status Yes — fixed in Open Policy Agent v1.4.1

What Is CVE-2026-5229?

CVE-2026-5229 is a path traversal vulnerability in OPA’s package_index module. Based on the published description, archive entry paths inside a downloaded tar.gz package were not validated safely before extraction. That means a malicious package can cause files to be written into unintended but known locations within OPA’s package installation directories.

The direct consequence is arbitrary file overwrite inside the package installation area used by OPA. That can affect which policies or data OPA ultimately loads and evaluates. This does not automatically mean full host takeover, and it should not be described that way without additional evidence. But it is still serious because many deployments rely on OPA for security-sensitive decisions such as authorization, admission control, and policy enforcement.

This issue is best understood as an artifact ingestion risk. The attack path depends on OPA fetching a malicious package from a source it trusts enough to download and extract. That makes trust boundaries around registries and package sources central to the risk analysis.

AnalystImpact · assess the risk

Who Is Affected?

The affected product is Open Policy Agent. The vulnerable version range is:

  • v1.4.0 and earlier

The fix is available in:

  • v1.4.1

The most exposed environments are those where OPA automatically downloads bundles or packages from remote registries. If those registries are external, loosely controlled, or attacker-influenced, the conditions for exploitation are much more realistic.

Even deployments that use internal registries are still vulnerable in software terms if they run v1.4.0 and earlier. The difference is that the attacker would first need a way to place a malicious artifact into that trusted internal source. That lowers likelihood, but it does not eliminate risk.

If your organization cannot quickly answer whether OPA instances pull packages automatically, that should be treated as a visibility gap worth fixing.

CVSS Score Breakdown

The published CVSS v3.1 base score is 7.5 / High with vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Here is what that means operationally:

Metric Value Defender meaning
Attack Vector AV:N The vulnerable workflow is reachable over the network through remote package fetching.
Attack Complexity AC:L The attack does not require unusual preconditions beyond delivering a crafted archive.
Privileges Required PR:N The attacker does not need credentials on the target host.
User Interaction UI:N No human action is needed once the pull workflow exists.
Scope S:U Impact remains within the vulnerable component’s scope.
Confidentiality C:H Policy or data effects may expose sensitive outcomes.
Integrity I:N The published vector assigns no integrity impact.
Availability A:N The published vector assigns no availability impact.

One nuance is worth noting: the technical behavior involves file overwrite, which sounds like integrity impact, but the published CVSS vector uses I:N. For public reporting, use the standardized score as published. For internal prioritization, you may still want to capture the practical risk that altered package contents can influence policy behavior.

Exploitation Status

At publication time, there is no reported evidence of active exploitation in the wild in the provided source material. There is also no public proof-of-concept identified in the available references.

That should not be interpreted as a reason to delay patching. Path traversal during archive extraction is a well-understood bug class, and the exploitation path is conceptually straightforward when untrusted package sources are involved.

For defenders, the key questions are:

  1. Are any OPA instances running v1.4.0 or earlier?
  2. Can those instances pull packages or bundles from a source we do not fully control?

If the answer to both is yes, remediation should be prioritized.

ResponderRunbook · act now

How to Detect Exposure

Start with version discovery. Identify all OPA instances and determine whether any are running v1.4.0 or earlier.

Then identify configuration that enables automatic downloads of bundles or packages. Review:

  • deployment manifests
  • startup arguments
  • registry configuration
  • bundle source settings
  • image or binary versions

Next, review source trust. Flag registries that are:

  • external
  • third-party managed
  • not allowlisted
  • shared across business units without strong controls

A practical host-side detection signal is unexpected file creation or overwrite within OPA package installation directories shortly after a package download event.

For Linux systems using auditd, a basic watch rule can help:

auditctl -w /path/to/opa/package-dir -p wa -k opa-package-write
ausearch -k opa-package-write

Replace /path/to/opa/package-dir with your actual configured package path.

If you centralize telemetry, correlate package retrieval with file changes. A generic hunt might look like:

(package_download_logs OR proxy_logs)
| where destination_host not in ("trusted-registry-1", "trusted-registry-2")
| join kind=inner (
    file_change_events
    | where file_path contains "opa" and action in ("create","modify","overwrite")
) on host within 10m

If compromise is suspected, compare current extracted files against known-good package contents and trusted checksums. Any mismatch deserves immediate investigation.

Mitigation and Patching

The recommended fix is to upgrade Open Policy Agent to v1.4.1 or later. If you are running v1.4.0 or earlier, assume the vulnerable extraction behavior is present unless you have verified a vendor-supported backport.

After upgrading, verify the running version explicitly:

opa version

If you cannot patch immediately, reduce exposure by restricting package sources to trusted registries only. Temporary risk reduction steps include:

  • disable package pulls from untrusted sources
  • enforce registry allowlisting
  • remove external or test feeds
  • restrict egress from affected OPA instances to approved endpoints only

An emergency Linux example:

iptables -A OUTPUT -p tcp -d <untrusted-registry-ip> --dport 443 -j REJECT

Replace <untrusted-registry-ip> with the actual endpoint. In managed environments, equivalent proxy, firewall, or cloud security controls are usually preferable.

After containment and upgrade, inspect package installation directories for unexpected or recently changed files. If anomalies are found, restore from a known-good source rather than trusting the current on-disk state.

Practical Response Priorities

A simple response order for most teams is:

  1. Inventory OPA versions.
  2. Identify any instance on v1.4.0 or earlier.
  3. Determine whether it pulls remote packages or bundles.
  4. Restrict package sources to trusted registries.
  5. Upgrade to v1.4.1.
  6. Review package directories for unexpected writes.
  7. Validate policy integrity after remediation.

Security Tooling Recommendations

If your OPA deployment is part of a broader cloud or remote-work environment, adjacent controls can help reduce exposure during incident response and recovery. For secure admin access over untrusted networks, a VPN such as Check NordVPN pricing → or Try Proton VPN → can help protect operator sessions. If you need to scan endpoints involved in artifact handling for suspicious changes or malware during triage, Get Malwarebytes → is a reasonable option. For teams managing privileged credentials used in registry administration, Try 1Password → can help reduce credential sprawl.

References

Source URL
NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-5229
GitHub Security Advisory (OPA) https://github.com/open-policy-agent/opa/security/advisories/GHSA-3x6w-8m4j-2r2m

For most defenders, the decision is straightforward: if OPA can pull remote packages and you are running v1.4.0 or earlier, upgrade to v1.4.1, restrict registry trust, and inspect package installation paths for unexpected writes.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-15

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.