CVE-2026-54369 HIGH

CVE-2026-54369: acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions

Vendor Acl Project
Product acl
Weakness CWE-59
Published June 29, 2026
Last update June 30, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 30, 2026 Record updated