CWE-61: UNIX Symbolic Link (Symlink) Following
Also known as: Symlink following, symlink vulnerability
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Last updated
Overview
A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
Real-world CVEs
123 recorded CVEs are caused by CWE-61 (UNIX Symbolic Link (Symlink) Following), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 44 new CWE-61 CVEs have been recorded so far in 2026 (30 in 2025).
- CVE-2026-54420CISA KEVHigh · CVSS 8.5 · EPSS 66th2026-06-14
- CVE-2024-28189Critical · CVSS 10.0 · EPSS 94th2024-04-18
- CVE-2024-28185Critical · CVSS 10.0 · EPSS 93th2024-04-18
- CVE-2025-23394
daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root
Critical · CVSS 9.8 · EPSS 39th2025-05-26 - CVE-2024-54661Critical · CVSS 9.8 · EPSS 52th2024-12-04
- CVE-2026-55447
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Critical · CVSS 9.6 · EPSS 33th2026-06-23 - CVE-2025-68937Critical · CVSS 9.5 · EPSS 39th2025-12-25
- CVE-2026-34078
Flatpak has a complete sandbox escape leading to host file access and code execution in the host context
Critical · CVSS 9.3 · EPSS 74th2026-04-07 - CVE-2026-39860
Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination
Critical · CVSS 9.0 · EPSS 9th2026-04-08 - CVE-2026-6475
PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice
High · CVSS 8.8 · EPSS 24th2026-05-14 - CVE-2026-27976
Zed Extension Sandbox Escape via Tar Symlink Following
High · CVSS 8.8 · EPSS 39th2026-02-25 - CVE-2025-55345
Unsafe symlink following in restricted workspace-write sandbox leads to RCE
High · CVSS 8.8 · EPSS 54th2025-08-13
Showing 12 of 123 recorded CWE-61 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-61 vulnerabilitiesCommon consequences
What can happen when CWE-61 is exploited.
Read Files or Directories, Modify Files or Directories
Affects: Confidentiality, Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-61, grouped by where in the lifecycle they apply.
Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-1999-1386 — Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
- CVE-2000-1178 — Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
- CVE-2004-0217 — Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
- CVE-2003-0517 — Symlink attack allows local users to overwrite files.
- CVE-2004-0689 — Possible interesting example
- CVE-2005-1879 — Second-order symlink vulnerabilities
- CVE-2005-1880 — Second-order symlink vulnerabilities
- CVE-2005-1916 — Symlink in Python program
- CVE-2000-0972 — Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
- CVE-2005-0824 — Signal causes a dump that follows symlinks.
- CVE-2015-3629 — A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
- CVE-2020-26277 — In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute.
- CVE-2021-21272 — "Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.
Terminology & mappings
Alternate terms
- Symlink following
- symlink vulnerability
Mapped taxonomies
- PLOVER: UNIX symbolic link following
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-61.
- What is CWE-61?
- The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
- What CVEs are caused by CWE-61?
- 123 recorded CVEs are attributed to CWE-61, including CVE-2026-54420, CVE-2024-28189, CVE-2024-28185. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-61?
- Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
- How is CWE-61 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-61?
- Exploiting CWE-61 can lead to: Read Files or Directories, Modify Files or Directories.
- Is CWE-61 actively exploited?
- Yes. 1 CWE-61 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 123 recorded CVEs.
References
- MITRE CWE definition (CWE-61) (opens in a new tab)
- CWE-61 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-61
Get alerted the moment a new CWE-61 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.