CVE-2026-15392 in DBD::File
Summary
by MITRE • 07/14/2026
DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location.
The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories.
Callers of file-based drivers can read or write files outside of the data directory.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability in DBD::File versions prior to 1.651 represents a critical path traversal issue that fundamentally undermines the security boundaries of file-based database operations. This flaw resides in the complete_table_name method which constructs absolute file paths without validating the symbolic link integrity of table files, creating an exploitable condition where attackers can manipulate file access patterns beyond intended directories.
The technical implementation of this vulnerability stems from insufficient validation of symbolic links within the file path resolution process. When DBD::File processes table names, it resolves them to absolute paths through the complete_table_name method but fails to verify whether these paths are legitimate or if they represent symbolic links pointing elsewhere in the filesystem. This design flaw allows attackers to create symbolic links within the configured data directories that point to sensitive files outside the intended f_dir and f_dir_search boundaries, effectively bypassing access controls.
The operational impact of this vulnerability extends far beyond simple unauthorized file access, as it enables arbitrary read and write operations against any file system location accessible to the database process. Attackers can leverage this weakness to extract confidential data from system files, modify critical configuration files, or even escalate privileges by writing malicious code into executable locations. The vulnerability affects all callers of file-based drivers, making it particularly dangerous in environments where multiple applications interact with the same database interface.
This vulnerability maps directly to CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery patterns, representing a classic case of insufficient input validation combined with inadequate access control enforcement. From an ATT&CK framework perspective, this flaw enables T1059 Command and Scripting Interpreter techniques by allowing attackers to execute commands through file system manipulation, while also supporting T1078 Valid Accounts for privilege escalation when the database process has elevated permissions.
Mitigation strategies must address both immediate remediation and long-term architectural improvements. The primary solution involves upgrading to DBD::File version 1.651 or later where proper symbolic link validation has been implemented. Organizations should also implement additional controls such as restricting write permissions on data directories, monitoring for suspicious symbolic link creation, and employing file system access controls that limit the database process's ability to traverse arbitrary paths. Network segmentation and principle of least privilege enforcement can further reduce the impact if exploitation occurs. The vulnerability highlights the critical importance of validating all file system operations and implementing robust input sanitization practices in database drivers to prevent similar path traversal issues from occurring in other components of the system architecture.