CVE-2026-10621 | Path traversal in restore handler in Collibra Agent, allows … | CVSS 7.5 HIGH

Description

Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.

Metadata

CVE ID: CVE-2026-10621
State: PUBLISHED
Assigner: certcc
Reserved: 2026-06-02 13:58 UTC
Published: 2026-06-02 14:03 UTC
Last updated: 2026-06-02 19:27 UTC
Vendor / Product: Collibra / Collibra Platform (SaaS)
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (7)

Vendor	Product	Platform	Versions
Collibra	Collibra Platform (on-prem)	—	2026.03 < 2026.03.356
Collibra	Collibra Platform (on-prem)	—	2025.10 < 2025.10.399
Collibra	Collibra Platform (SaaS)	—	2025.10 < 2025.10.9
Collibra	Collibra Platform (SaaS)	—	2025.11 < 2025.11.7
Collibra	Collibra Platform (SaaS)	—	2026.02 < 2026.02.6
Collibra	Collibra Platform (SaaS)	—	2026.03 < 2026.03.4
Collibra	Collibra Platform (SaaS)	—	2026.04 < 2024.04.5

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
—	cna	CWE-73 External Control of File Name or Path

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (2)