{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-12T21:53:52Z",
  "bugzilla" : {
    "description" : "mako: Mako: Information disclosure via directory traversal",
    "id" : "2476894",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2476894"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-22",
  "details" : [ "Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \\..\\..\\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.", "A flaw was found in Mako, a Python template library. A remote attacker could exploit a directory traversal vulnerability by crafting a Uniform Resource Identifier (URI) with backslash traversal. This bypasses security checks, allowing the attacker to read files outside the intended template directory, leading to information disclosure." ],
  "statement" : "This flaw is rated Moderate (CVSS 5.9) because exploitation requires high attack complexity (AC:H) — the path traversal is Windows-specific and depends on attacker-controlled template names being passed to Mako's TemplateLookup. Red Hat products are deployed on Linux where this vulnerability is not exploitable, as Linux does not interpret backslash as a directory separator. The Resource Optimization Service ships the affected Mako version but runs on Linux, limiting practical impact.",
  "package_state" : [ {
    "product_name" : "Exploit Intelligence",
    "fix_state" : "Not affected",
    "package_name" : "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
    "cpe" : "cpe:/a:redhat:exploit_intelligence:0"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Not affected",
    "package_name" : "mta/mta-solution-server-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "python-mako",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python-mako",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "resource-agents",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "python-mako",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-training-cuda128-torch29-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "satellite/iop-host-inventory-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44307\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44307\nhttps://github.com/sqlalchemy/mako/commit/72e10c573ca0fbcbddd4455abca8ce92a61780d7\nhttps://github.com/sqlalchemy/mako/issues/435\nhttps://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12\nhttps://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq" ],
  "name" : "CVE-2026-44307",
  "mitigation" : {
    "value" : "This vulnerability is specific to Windows systems where backslash characters are interpreted as path separators. Red Hat products running on Linux are not susceptible to this path traversal because Linux does not treat backslash as a directory separator. For any application using Mako on Windows, validate user-controlled template names to reject backslash characters before passing them to TemplateLookup.get_template(). Upgrading to Mako 1.3.12 resolves this issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}