=37.0.0 <44.0.2

Q: How to fix?

Upgrade wasmtime-wasi to version 24.0.9, 36.0.10, 44.0.2 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Control Bypass vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RUST-WASMTIMEWASI-16874177
published25 May 2026
disclosed21 May 2026
creditshumbo

Report a new vulnerability Found a mistake?

Introduced: 21 May 2026

NewCVE-2026-47261 (opens in a new tab) CWE-284 (opens in a new tab)

How to fix?

Upgrade wasmtime-wasi to version 24.0.9, 36.0.10, 44.0.2 or higher.

Overview

wasmtime-wasi is a Crate defining the Wasi type for Wasmtime, which represents a WASI instance which may be added to a linker.

Affected versions of this package are vulnerable to Access Control Bypass via the path_open process. An attacker can gain unauthorized write access by exploiting the bypass of FilePerms::WRITE host restriction.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None