Update for ArchivistaBox now available
Egg, May 5th 2026: For the past few days, a serious root-level bug affecting all current Linux systems has been known. The security vulnerability, known as copy-fail, allows attackers to immediately gain comprehensive root privileges from a regular account, enabling them to modify or destroy any computer as they please.
All Linux solutions are affected, including ArchivistaBox
Copy-fail refers to a situation where a regular local program can impersonate the root (system) user without requiring a password. This can lead to uncontrolled modifications or even destruction of the system.
It could be argued that this is not such a dramatic issue with a web-based solution like ArchivistaBox, because users ‘only’ work via the web interface. This means that as long as the Apache web server is not attacked, no attack will succeed.
While this is true, it must also be mentioned that there are thousands of programs and hundreds of thousands of files on a Linux system. All of these need to be updated in a timely manner. Therefore, it is sufficient if the attack is packaged within a library. According to heise.de, attacks on Linux systems are already occurring.
What makes matters worse is that the attack currently requires only 700 lines of Python code. We tested this behavior on Friday (the day the vulnerability was published) and confirmed (unsurprisingly) that this is indeed the case.
For this reason, our systems were patched on Friday. On Saturday, the underlying infrastructure of our server farm was fixed (sorry for the outage between approximately 7 and 10 a.m.).
All customers should update immediately
Unfortunately, all Linux systems worldwide are affected by the root vulnerability. The ArchivistaBox is no exception, nor is it a special case. In this sense, the systems must be updated immediately.
Customers using the latest release (from 2024 onwards) can send us an email, and we will prioritize creating the corresponding ISO files for them. Customers using older versions must now upgrade to the latest release. Depending on the maintenance level of the solution, this step may be more or less straightforward, or more complex.
Community versions
For those working with the community version, please note: The ArchivistaBox AGPLv3 in version 2026 already has an update available, which can be downloaded here:
https://archivista.ch/cms/avmulti26
Those who are using the 2025 version should upgrade to version 2026 immediately. Updates will also be provided to AVMultimedia users as soon as possible. However, please also understand that the ArchivistaBox is being updated with the latest versions in a timely manner to minimize potential risks. We will inform you as soon as the updates are available.