CVE-2026-26960: node-tar extraction hardlink escape enables arbitrary file read/write

What happened

The CVE record for CVE-2026-26960 was published to the CVE List at 2026-02-20T01:07:52.979Z. It describes a vulnerability in node-tar (npm package tar) where, when using default extraction options in versions 7.5.7 and below, an attacker-controlled tar archive can create a hardlink inside the extraction directory that points to a file outside the intended extraction root, enabling arbitrary file read and write as the extracting user.

Who is impacted

• Projects that use the npm package tar (node-tar) for extraction (directly or via transitive dependencies), and may extract untrusted or attacker-controlled tar archives.
• Affected versions: tar < 7.5.8.
• Severity (CVSS v3.1, CNA: GitHub_M): 7.1 HIGH (vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

What to do now

• Upgrade npm package tar to 7.5.8 or later.
• Audit code paths where tar.extract() is used with archives that could be influenced by external users (uploads, CI artifacts, build caches, plugin content, etc.).
• Consider extracting in a sandboxed context (e.g., container/namespace with limited filesystem access) if untrusted archives must be processed.

Additional Information

• CWE: CWE-22 (Path Traversal / improper limitation of pathname to a restricted directory).
• The CVE record cites the upstream GitHub Security Advisory and fixing commits in isaacs/node-tar as references.