{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21916", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "state": "PUBLISHED", "assignerShortName": "juniper", "dateReserved": "2026-01-05T17:32:48.711Z", "datePublished": "2026-04-09T21:28:05.552Z", "dateUpdated": "2026-04-10T03:56:10.740Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Junos OS", "vendor": "Juniper Networks", "versions": [{"lessThan": "23.2R2-S7", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "23.4R2-S6", "status": "affected", "version": "23.4", "versionType": "semver"}, {"lessThan": "24.2R2-S3", "status": "affected", "version": "24.2", "versionType": "semver"}, {"lessThan": "24.4R2-S2", "status": "affected", "version": "24.4", "versionType": "semver"}, {"lessThan": "25.2R2", "status": "affected", "version": "25.2", "versionType": "semver"}, {"status": "unaffected", "version": "25.4R1"}]}], "datePublic": "2026-04-08T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.<br><br>When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.<br><br>This issue affects Junos OS:<br><ul><li>all versions before 23.2R2-S7,</li><li>23.4 versions before 23.4R2-S6,</li><li>24.2 versions before 24.2R2-S3,</li><li>24.4 versions before 24.4R2-S2,</li><li>25.2 versions before 25.2R2.</li></ul>This issue does not affect versions 25.4R1 or later."}], "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.\n\nWhen after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.\n\nThis issue affects Junos OS:\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R2.\n\n\nThis issue does not affect versions 25.4R1 or later."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "description": "CWE-61 UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2026-04-09T21:28:05.552Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://kb.juniper.net/JSA107807"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases.<br>"}], "value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases."}], "source": {"advisory": "JSA107807", "defect": ["1865633"], "discovery": "EXTERNAL"}, "title": "Junos OS: A low privileged user can escalate their privileges so that they can login as root", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "To prevent exploitation, use access controls to keep users from performing 'file link' operations."}], "value": "To prevent exploitation, use access controls to keep users from performing 'file link' operations."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21916"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T03:56:10.740Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.\n\nWhen after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.\n\nThis issue affects Junos OS:\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R2.\n\n\nThis issue does not affect versions 25.4R1 or later."}], "id": "CVE-2026-21916", "lastModified": "2026-04-09T22:16:24.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "sirt@juniper.net", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2026-04-09T22:16:24.953", "references": [{"source": "sirt@juniper.net", "url": "https://kb.juniper.net/JSA107807"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}], "source": "sirt@juniper.net", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,23.2R2-S7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[23.4,23.4R2-S6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[24.2,24.2R2-S3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[24.4,24.4R2-S2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[25.2,25.2R2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "25.4R1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Junos OS", "source": "cna", "vendor": "Juniper Networks"}, "product": "junos_os", "vendor": "juniper_networks"}], "analysis": {"en": {"generated_at": "2026-04-09T22:22:14.604486+00:00", "value": {"mitigation_remediation": ["Apply a software update to Junos OS 23.2R2\u2011S7 or later versions, such as 23.4R2\u2011S6, 24.2R2\u2011S3, 24.4R2\u2011S2, 25.2R2 or any newer release.", "As a temporary workaround, enforce access controls to prevent users from performing the 'file link' command.", "Verify the running OS version and confirm that the patched release is in use.", "Monitor system logs for any anomalous privilege escalation attempts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Juniper Networks Junos OS. All releases prior to 23.2R2\u2011S7, all 23.4 releases before 23.4R2\u2011S6, all 24.2 releases before 24.2R2\u2011S3, all 24.4 releases before 24.4R2\u2011S2, and all 25.2 releases before 25.2R2 are impacted. Version 25.4R1 and later do not contain the vulnerability.", "description_and_impact": "A vulnerable symbolic link handling in the Juniper Junos OS command line interface permits a local authenticated user with low privileges to exploit a symlink following flaw. The attacker can invoke a \"file link\" command, then another unrelated configuration commit by a different user causes the original user to become able to authenticate as root, effectively escalating privileges. This flaw is categorized as CWE\u201161: Improper Restriction of Operations within a Pathname.", "risk_and_exploitability": "The CVSS v3 score is 7.0, indicating high severity. EPSS information is not available, and the vulnerability is not listed in CISA KEV, meaning no known public exploitation is documented. The flaw requires local access with a low\u2011privileged account and the ability to perform a \"file link\" operation; once logged in, the attacker can trigger a session takeover and obtain root. Given the high impact of compromising the entire system and the lack of defensive measures beyond patching, the risk is significant."}}}}, "created": "2026-04-10T08:37:10.165482+00:00", "updated": "2026-04-10T09:28:15.230962+00:00", "vendors": ["juniper_networks", "juniper_networks$PRODUCT$junos_os"]}