CVE-2026-54250 | K3s is a fully conformant production-ready Kubernetes distri… | CVSS 5.8 MEDIUM

Description

K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.

Metadata

CVE ID: CVE-2026-54250
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 16:25 UTC
Published: 2026-06-25 17:56 UTC
Last updated: 2026-06-25 17:56 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: k3s-io / k3s
Sources: cve.org · NVD

Severity & Metrics

5.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
k3s-io	k3s	—	>= 1.35.0-rc1+k3s1, < 1.35.3+k3s1, >= 1.34.0-rc1+k3s1, < 1.34.6+k3s1, < 1.33.10+k3s1

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.8	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H

References (1)

https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98 https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98