CVE-2026-58403 in Hugo
Summary
by MITRE • 07/06/2026
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability described affects Hugo static site generator versions between 0.123.0 and 0.163.0, specifically within its virtual filesystem implementation. This represents a critical path traversal and privilege escalation flaw that undermines the security boundaries established by Hugo's mount system. The core issue stems from a regression in the RootMappingFs.statRoot method where the implementation incorrectly invokes the Stat function instead of Lstat, fundamentally altering how file system operations are handled within mounted directories.
The technical flaw manifests through improper symlink handling within Hugo's virtual filesystem architecture. When a malicious symlink is placed within a theme or local mount directory, the incorrect use of Stat over Lstat allows the system to follow symbolic links and access files outside the intended mount tree. This regression essentially bypasses the designed security isolation that should prevent files under a mount from accessing content beyond their designated boundaries. The vulnerability specifically impacts the os.ReadFile operation when processing symlinks pointing to arbitrary locations, enabling unauthorized file reads.
This vulnerability creates significant operational impact for Hugo users running affected versions, as it allows attackers with write access to theme or local mount directories to read any files accessible to the user account running the Hugo process. The attack surface extends beyond just theme directories to include any location where mounts are configured, potentially exposing sensitive configuration files, source code, or system files. The privilege escalation aspect means that an attacker could gain access to information that should remain isolated within their intended mount boundaries.
The fix implemented in version 0.163.1 addresses the core regression by restoring proper symlink handling through the use of Lstat instead of Stat in the RootMappingFs.statRoot method. This change ensures that symbolic links are not followed during file system operations, maintaining the intended isolation boundaries of Hugo's mount system. From a cybersecurity perspective, this vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and represents a classic example of how seemingly minor code changes can introduce critical security regressions in file system operations.
Organizations using Hugo should immediately upgrade to version 0.163.1 or later to remediate this vulnerability, particularly those running Hugo with elevated privileges or in environments where theme directories might be writable by untrusted users. The issue demonstrates the importance of thorough regression testing for file system security features and highlights how symlink handling can become a critical attack vector when not properly implemented. This vulnerability also relates to ATT&CK technique T1059 (Command and Scripting Interpreter) and T1566 (Phishing) as attackers could potentially use this weakness to extract sensitive information from compromised systems through carefully crafted symlink placement in theme directories.