Python TUF, Platform-Dependent Path Matching Vulnerability, GHSA-qp9x-wp8f-qgjj (Medium) -DC-May2026-35

Listen to this Post

The core of this vulnerability lies in the `DelegatedRole._is_target_in_pathpattern` method, which is responsible for authorizing a target path against a delegation’s glob pattern. Internally, this method uses Python’s `fnmatch.fnmatch` to perform the comparison. The security flaw emerges because `fnmatch.fnmatch` normalizes both the target path and the pattern using `os.path.normcase()` before matching. On Windows, `normcase` converts characters to lowercase and changes forward slashes `/` to backslashes \, creating a case-insensitive comparison. In contrast, on Linux and macOS, `normcase` is an identity function, preserving the original case for a case-sensitive match.
This results in a critical inconsistency: a Windows client will treat path patterns case-insensitively, while a Linux or macOS client will treat them case-sensitively. For a TUF repository, this violates the specification because the authorization decision for a target file becomes dependent on the client’s operating system, not the repository’s defined rules.
An attacker can exploit this by carefully crafting a repository with two path-based delegations whose patterns differ only in case, for example, `Foo/` and foo/. The attacker ensures their malicious role is listed before the legitimate one in the delegation order. When a Windows client requests a target like foo/something, the `fnmatch.fnmatch` call normalizes the case to lowercase, causing the earlier attacker’s pattern `Foo/` to match. Consequently, the client authorizes the attacker’s role and downloads a malicious target instead of the intended legitimate one. This bypasses the TUF security model on Windows platforms, enabling unauthorized target replacement.

DailyCVE Form:

Platform: Python TUF
Version: <= 4.0.0
Vulnerability : Case-Insensitive Bypass
Severity: Medium
date: 2026-05-18

Prediction: 2026-05-28

Analytics under heading What Undercode Say:

Check if a target would be authorized on Windows
This simulates the vulnerable fnmatch behavior
python -c "import os, fnmatch; pattern='Foo/'; target='foo/something'; print(fnmatch.fnmatch(target, pattern))"
Vulnerable code path in tuf/api/_payload.py
if not fnmatch.fnmatch(target, pattern):
return False

Exploit:

  1. Control a delegated role in a TUF repository.
  2. Create a collision pattern (e.g., Foo/) that is case-insensitively identical to a legitimate pattern (foo/).
  3. Position the attacker’s role before the legitimate role in the delegation order.
  4. Wait for a Windows client to request a path that matches the legitimate pattern (e.g., foo/something).
  5. The client’s authorization logic will match the attacker’s pattern and grant access to the attacker’s role.

Protection:

  • Upgrade to a patched version of python-tuf (commit 7ecb67d or later).
  • The fix replaces `fnmatch.fnmatch` with fnmatch.fnmatchcase, which does not apply case normalization and behaves identically on all platforms.
  • As a workaround, restrict repository configurations to avoid case-colliding path patterns until an upgrade is performed.

Impact:

  • A Windows client can be tricked into downloading a malicious target file from a role it should not trust.
  • This breaks the TUF specification’s security guarantees for path-based delegations on Windows, potentially leading to arbitrary code execution if the malicious target is executed.
  • Linux and macOS clients are unaffected by this specific vulnerability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top