acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-54369 is a symlink traversal vulnerability affecting the libacl library before version 2.4.0. The vulnerability exists in pathname-based ACL functions (acl_get_file, acl_set_file, acl_extended_file, and acl_delete_def_file) that fail to properly validate symbolic links during file operations. Local attackers who can control any component of a pathname processed by a privileged application can redirect ACL operations to arbitrary files or directories, leading to unauthorized privilege escalation and access control manipulation. This affects systems running vulnerable versions of libacl, particularly in multi-user environments where unprivileged users can influence filesystem paths or in containerized deployments where privilege boundaries are exploited.
While CVE-2026-54369 does not map directly to current MITRE ATT&CK techniques, Casky's extended reasoning capabilities would identify this vulnerability through detection of access control abuse patterns and file system manipulation behaviors. Practitioners using Casky would observe findings related to suspicious ACL modifications on files outside expected directories, unexpected symlink creation in monitored paths, and privilege escalation attempts through file operation redirection. The platform's 754 mapped security skills enable detection of the underlying attack pattern—local privilege escalation via filesystem tricks—by correlating unusual ACL access patterns, symlink presence in critical paths, and privilege context changes during file operations. Organizations should prioritize upgrading libacl and implementing file integrity monitoring to detect symlink-based traversal attempts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-54369. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation