Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-11T17:24:02 jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CWE-20

A flaw was found in jq, a command line JSON processor. Embedded NUL bytes in import paths are truncated during module and data-file lookup, creating a mismatch between the intended import string and the actual file path opened. This issue allows an attacker who can supply a crafted script to access unintended files.

To exploit this flaw, an attacker needs to supply a crafted script containing embedded NUL bytes in import paths to be processed by jq. This allows the attacker to bypass intended path validation mechanisms and access unintended files. Due to these reasons, this issue has been rated with a moderate severity. Do not process untrusted scripts with the jq command line JSON processor. Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Ceph Storage 4 Fix deferred jq Red Hat Enterprise Linux 10 Fix deferred jq Red Hat Enterprise Linux 8 Fix deferred jq Red Hat Enterprise Linux 9 Fix deferred jq Red Hat Hardened Images Affected jq Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-43895 https://nvd.nist.gov/vuln/detail/CVE-2026-43895 https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr