Intel

AIKIDO-2026-627943

wasmtime is vulnerable to Improper Access Control

Improper Access ControlCVE-2026-47261 Published 2 days ago

75

High Risk

This Affects:

PYTHONwasmtime
27.0.0 - 44.0.0
Fixed in 45.0.0
Are you affected? Scan for Free

TL;DR

The wasmtime package ships the precompiled Wasmtime runtime, whose WASI filesystem layer enforces per-directory and per-file permissions on preopened directories. When a host preopens a directory with writable directory permissions but read-only file permissions, a guest module can call path_open using only the truncate flag to open and truncate a file that should be read-only, because the truncate path is not treated as a write for the permission check. This lets sandboxed WebAssembly modules destroy or overwrite file contents the embedder intended to expose read-only. The fix marks truncating opens as writes so the file-permission check rejects them.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application preopens a WASI directory with writable directory permissions but read-only file permissions.

Background info

wasmtime is vulnerable to Improper Access Control in versions 27.0.0 - 44.0.0.

How to fix this

Upgrade the wasmtime library to the patch version.