PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32146 Gleam CVE debrief

CVE-2026-32146 is an improper path validation issue in Gleam’s handling of git dependencies. During dependency download, names from gleam.toml and manifest.toml could be incorporated into filesystem paths without sufficient confinement to the intended dependency directory. That allowed attacker-controlled relative or absolute paths to affect locations outside the expected directory, with the risk of directory deletion, overwrite, and data loss. The issue affects Gleam 1.9.0-rc1 through 1.15.4.

Vendor
Gleam
Product
Unknown
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-11
Original CVE updated
2026-05-21
Advisory published
2026-04-11
Advisory updated
2026-05-21

Who should care

Teams that use Gleam projects with git-based dependencies, especially build systems, CI runners, and developer environments that automatically run dependency downloads. Any environment where untrusted or transitive dependencies can influence the dependency graph should treat this as high priority.

Technical summary

NVD and the vendor-linked advisory describe a CWE-22 path traversal weakness in the compiler’s dependency resolution flow. When resolving git dependencies, dependency names from project and manifest files were used to compute filesystem paths without enough validation or directory confinement. The resulting path was then used for filesystem operations such as directory deletion and creation. Because the path could be attacker-controlled, a malicious direct or transitive git dependency could target directories outside the intended dependency storage area. The published vulnerability scope covers Gleam versions from 1.9.0-rc1 up to 1.15.4.

Defensive priority

High. The impact includes arbitrary file system modification during a routine dependency operation, which can lead to data loss and potentially broader compromise if sensitive files or execution-related files are overwritten.

Recommended defensive actions

  • Upgrade Gleam to a version newer than 1.15.4, which is outside the affected range.
  • Review the vendor advisory and linked fixes to confirm the corrected path handling in your deployment pipeline.
  • Restrict dependency sources to trusted repositories where possible, especially for git dependencies.
  • Treat dependency downloads as sensitive operations in CI and local automation, and run them in least-privilege environments.
  • Inspect build and developer environments for unexpected file changes after dependency resolution, particularly outside the dependency cache or vendor directory.

Evidence notes

This debrief is based on the NVD record, the ERLEF CNA advisory, the Gleam security advisory, and the linked patch commits. The supplied description states that dependency names from gleam.toml and manifest.toml were used in filesystem paths without sufficient validation, enabling traversal via relative or absolute paths during git dependency download. NVD lists CWE-22 and an affected version range beginning at 1.9.0 and ending before 1.15.4. No exploit details are included beyond the supplied source summary.

Official resources

Published by the CVE source on 2026-04-11 and last modified on 2026-05-21. The supplied sources indicate the issue was publicly documented through the vendor advisory and linked patches, with NVD later marking the record as analyzed.