{"vuid":"VU#873170","idnumber":"873170","name":"Collibra Agent contains improper authentication and path traversal vulnerabilities","keywords":null,"overview":"### Overview\r\nThe Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code execution.\r\n\r\n### Description\r\nCollibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. \r\n\r\n\r\n**CVE-2026-10622** Privileged REST endpoints exposed under `/rest/*` do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths.\r\nAdditionally, the web services hosting the vulnerable `REST` endpoint    was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks.\r\n\r\n**CVE-2026-10621** A Zip Slip vulnerability during extraction is exposed through `POST` `/rest/restore` and   enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction.\r\nA remote attacker can supply a crafted ZIP archive containing directory traversal sequences, such as `../`, to write files outside of the intended extraction directory. This may allow attackers to write custom files to arbitrary locations on the underlying host.\r\nIn an observed exploitation path, this arbitrary file write can be used to place a malicious `JSP` file into a web-accessible directory, enabling remote code execution when the file is subsequently requested over HTTP.\r\n\r\n\r\n### Impact\r\n\r\nA remote, unauthenticated attacker can chain these vulnerabilities to achieve remote code execution on the affected system. An attacker who successfully exploits these issues may be able to: \r\n-\tinstall a persistent web shell \r\n-\tread, modify, or delete application data\r\n-\tdisrupt system availability\r\n-\tpotentially pivot further into surrounding environment\r\nBecause exploitation does not require authentication, deployments reachable across public internet may be at significant risk.\r\n\r\n### Solution\r\n\r\nCollibra has released the following versions to address these vulnerabilities.\r\n\r\nCollibra Plaform (SaaS):\r\n2026.05\r\n2026.04.5\r\n2026.03.4\r\n2026.02.6\r\n2025.11.7\r\n2025.10.9\r\n\r\nCollibra Platform Self Hosted (on-prem):\r\n2026.03 (Build 2026.03.356)\r\n2025.10 (Build 2025.10.399)\r\n\r\nUsers are strongly encouraged to update to the fixed release as soon as possible. Refer to Collibra documentation and release notes for patching and deployment guidance. \r\nAdministrators should ensure that interfaces exposing `REST` endpoints   are not exposed to untrusted networks and should restrict access to management interfaces wherever possible.\r\n\r\n### Acknowledgements\r\nThanks to the reporter who wishes to remain anonymous. This document was written by Michael Bragg.\r\n\r\n**VU#873170.2**\r\nPath traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.\r\n\r\n**VU#873170.1**\r\nImproper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed `/rest/*` endpoints.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":[],"cveids":["CVE-2026-10622","CVE-2026-10621"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-06-02T13:54:00.324121Z","publicdate":"2026-06-02T13:54:00.074031Z","datefirstpublished":"2026-06-02T13:54:00.342736Z","dateupdated":"2026-06-02T14:02:46.157558Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":200}