CVE-2026-54250
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In K3s before versions 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1, a path traversal vulnerability exists in the etcd snapshot decompression functionality. ZIP archives containing maliciously named members can be written to arbitrary filesystem locations when an administrator restores the archive as a compressed etcd snapshot.
Risk Assessment
An attacker could exploit this vulnerability to overwrite critical system or configuration files, potentially leading to privilege escalation, cluster integrity compromise, or full node takeover.
Recommendation
Immediately upgrade K3s to version 1.35.3+k3s1, 1.34.6+k3s1, or v1.33.10+k3s1, depending on the branch in use. Before upgrading, verify the integrity of etcd snapshots from untrusted sources.
Original NVD description (English source)
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.

