{"api_version":"1","generated_at":"2026-04-22T21:39:16+00:00","cve":"CVE-2026-21916","urls":{"html":"https://cve.report/CVE-2026-21916","api":"https://cve.report/api/cve/CVE-2026-21916.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-21916","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-21916"},"summary":{"title":"Junos OS: A low privileged user can escalate their privileges so that they can login as root","description":"A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.\n\nWhen after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.\n\nThis issue affects Junos OS:\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R2.\n\n\nThis issue does not affect versions 25.4R1 or later.","state":"PUBLISHED","assigner":"juniper","published_at":"2026-04-09 22:16:24","updated_at":"2026-04-17 18:05:52"},"problem_types":["CWE-61","CWE-61 CWE-61 UNIX Symbolic Link (Symlink) Following"],"metrics":[{"version":"4.0","source":"sirt@juniper.net","type":"Secondary","score":"7","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"7","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M","data":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":7,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"}},{"version":"3.1","source":"sirt@juniper.net","type":"Primary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://kb.juniper.net/JSA107807","name":"https://kb.juniper.net/JSA107807","refsource":"sirt@juniper.net","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-21916","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21916","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"affected 23.2R2-S7 semver","platforms":[]},{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"affected 23.4 23.4R2-S6 semver","platforms":[]},{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"affected 24.2 24.2R2-S3 semver","platforms":[]},{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"affected 24.4 24.4R2-S2 semver","platforms":[]},{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"affected 25.2 25.2R2 semver","platforms":[]},{"source":"CNA","vendor":"Juniper Networks","product":"Junos OS","version":"unaffected 25.4R1","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"To prevent exploitation, use access controls to keep users from performing 'file link' operations.","time":"","lang":"en"}],"exploits":[{"source":"CNA","title":"","value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability.","time":"","lang":"en"}],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r1-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r1-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.2","cpe7":"r2-s6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r1-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r1-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2-s3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2-s4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"23.4","cpe7":"r2-s5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r1-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r1-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r2-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.2","cpe7":"r2-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"r1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"r1-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"r1-s3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"r2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"24.4","cpe7":"r2-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"25.2","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"25.2","cpe7":"r1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"25.2","cpe7":"r1-s1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"21916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"juniper","cpe5":"junos","cpe6":"25.2","cpe7":"r1-s2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"21916","cve":"CVE-2026-21916","epss":"0.000120000","percentile":"0.017970000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-21916","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-10T03:56:11.604149Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-13T13:04:16.395Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Junos OS","vendor":"Juniper Networks","versions":[{"lessThan":"23.2R2-S7","status":"affected","version":"0","versionType":"semver"},{"lessThan":"23.4R2-S6","status":"affected","version":"23.4","versionType":"semver"},{"lessThan":"24.2R2-S3","status":"affected","version":"24.2","versionType":"semver"},{"lessThan":"24.4R2-S2","status":"affected","version":"24.4","versionType":"semver"},{"lessThan":"25.2R2","status":"affected","version":"25.2","versionType":"semver"},{"status":"unaffected","version":"25.4R1"}]}],"datePublic":"2026-04-08T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.
When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.
This issue affects Junos OS:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S6,
- 24.2 versions before 24.2R2-S3,
- 24.4 versions before 24.4R2-S2,
- 25.2 versions before 25.2R2.
This issue does not affect versions 25.4R1 or later."}],"value":"A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.\n\nWhen after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.\n\nThis issue affects Junos OS:\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R2.\n\n\nThis issue does not affect versions 25.4R1 or later."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}],"value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":7,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-61","description":"CWE-61 UNIX Symbolic Link (Symlink) Following","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-09T21:28:05.552Z","orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper"},"references":[{"tags":["vendor-advisory"],"url":"https://kb.juniper.net/JSA107807"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases.
"}],"value":"The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases."}],"source":{"advisory":"JSA107807","defect":["1865633"],"discovery":"EXTERNAL"},"title":"Junos OS: A low privileged user can escalate their privileges so that they can login as root","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"To prevent exploitation, use access controls to keep users from performing 'file link' operations."}],"value":"To prevent exploitation, use access controls to keep users from performing 'file link' operations."}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","assignerShortName":"juniper","cveId":"CVE-2026-21916","datePublished":"2026-04-09T21:28:05.552Z","dateReserved":"2026-01-05T17:32:48.711Z","dateUpdated":"2026-04-13T13:04:16.395Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-09 22:16:24","lastModifiedDate":"2026-04-17 18:05:52","problem_types":["CWE-61","CWE-61 CWE-61 UNIX Symbolic Link (Symlink) Following"],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.3,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*","versionEndExcluding":"23.2","matchCriteriaId":"3D14745F-3090-483F-9DB4-C424FA09BD21"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*","matchCriteriaId":"1A78CC80-E8B1-4CDA-BB35-A61833657FA7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*","matchCriteriaId":"4B3B2FE1-C228-46BE-AC76-70C2687050AE"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"F1B16FF0-900F-4AEE-B670-A537139F6909"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"B227E831-30FF-4BE1-B8B2-31829A5610A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*","matchCriteriaId":"1ADA814B-EF98-45B1-AF7A-0C89688F7CA5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*","matchCriteriaId":"A6FB32DF-D062-4FB9-8777-452978BEC7B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*","matchCriteriaId":"B3B6C811-5C10-4486-849D-5559B592350A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*","matchCriteriaId":"078D61B9-A228-453C-9D20-6F9C6B20637F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s4:*:*:*:*:*:*","matchCriteriaId":"F1F136A0-021D-43FE-BDD3-AD7201F7FC03"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s5:*:*:*:*:*:*","matchCriteriaId":"37147BC9-9ED8-48AE-906A-614AD8600962"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s6:*:*:*:*:*:*","matchCriteriaId":"7897729C-4128-49E9-B4A1-25353BC4DBB2"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*","matchCriteriaId":"78481ABC-3620-410D-BC78-334657E0BB75"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*","matchCriteriaId":"BE8A5BA3-87BD-473A-B229-2AAB2C797005"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*","matchCriteriaId":"8B74AC3E-8FC9-400A-A176-4F7F21F10756"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"CB2D1FCE-8019-4CE1-BA45-D62F91AF7B51"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*","matchCriteriaId":"175CCB13-76C0-44A4-A71D-41E22B92EB23"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*","matchCriteriaId":"166BFDB3-1945-4949-BC2B-E18442FF2E4D"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*","matchCriteriaId":"5923610F-878C-48CA-8B5D-9C609E4DD4DB"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*","matchCriteriaId":"A7C207E3-0252-4192-8E8C-E2ED2831B4F4"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*","matchCriteriaId":"E6974492-FE69-4340-8881-61C3329C1545"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s5:*:*:*:*:*:*","matchCriteriaId":"279E59FE-96DF-4E1D-A3A2-61D180F04533"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:-:*:*:*:*:*:*","matchCriteriaId":"89524D6D-0B22-4952-AD8E-8072C5A05D5C"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1:*:*:*:*:*:*","matchCriteriaId":"AD69A194-1B03-44EA-8092-79BD10C6F729"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"8463ADB4-B8A7-4D63-97A9-232ED713A21C"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"FE68337F-106E-4317-A5B6-292B0159F577"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r2:*:*:*:*:*:*","matchCriteriaId":"266B520A-482A-43F7-90F8-B9D64D30034F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r2-s1:*:*:*:*:*:*","matchCriteriaId":"AC78BC9E-5DA7-4E42-9923-B49A0B7F3564"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r2-s2:*:*:*:*:*:*","matchCriteriaId":"DD99F1B0-82B0-4CD3-8C8F-C0FFF44A8B90"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*","matchCriteriaId":"C452BDCB-34E3-42D3-8909-2312356EB70A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*","matchCriteriaId":"2B8158F2-2028-40E9-955F-CFD581A32F60"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"1A7233A1-EC7A-4458-9AE1-835480A03A21"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1-s3:*:*:*:*:*:*","matchCriteriaId":"D74087E2-5CAA-4085-8408-EB70EC1D5D91"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*","matchCriteriaId":"0EEF1798-F3C2-4645-96E7-1E82368B184D"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r2-s1:*:*:*:*:*:*","matchCriteriaId":"C8BB5EE1-04C7-4DF3-807A-06005ECFEEE5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:25.2:-:*:*:*:*:*:*","matchCriteriaId":"1B7572BB-9C77-4214-9C5F-CC83C7B93E37"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:25.2:r1:*:*:*:*:*:*","matchCriteriaId":"CAADBF98-38BE-40E2-AF1B-9077DCED0809"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:25.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"558F0A4C-0C72-4BF1-B2DE-C0D3BFD54BCD"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:25.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"127FE528-AB27-4B18-AF3B-1BE7C0AEEE20"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"21916","Ordinal":"1","Title":"Junos OS: A low privileged user can escalate their privileges so","CVE":"CVE-2026-21916","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"21916","Ordinal":"1","NoteData":"A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.\n\nWhen after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.\n\nThis issue affects Junos OS:\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R2.\n\n\nThis issue does not affect versions 25.4R1 or later.","Type":"Description","Title":"Junos OS: A low privileged user can escalate their privileges so"}]}}}