diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 01fe7058d..c6ebd8159 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -27,6 +27,12 @@ Added
 
 - ``rebalancer_enabled`` field to boxinfo GraphQL API.
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Changed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Config section names with relative paths are prohibited.
+
 -------------------------------------------------------------------------------
 [2.8.6] - 2024-02-01
 -------------------------------------------------------------------------------
diff --git a/cartridge/clusterwide-config.lua b/cartridge/clusterwide-config.lua
index e98e17968..932ca2681 100644
--- a/cartridge/clusterwide-config.lua
+++ b/cartridge/clusterwide-config.lua
@@ -492,6 +492,13 @@ local function save(clusterwide_config, path)
     end
 
     for section, content in pairs(clusterwide_config._plaintext) do
+        if section:find("%.%.") then -- filename contains '..'
+            err = SaveConfigError:new(
+                'Relative paths in config is prohibited: %q',
+                section
+            )
+            goto rollback
+        end
         local abspath = fio.pathjoin(random_path, section)
         local dirname = fio.dirname(abspath)
 
diff --git a/test/unit/clusterwide_config_test.lua b/test/unit/clusterwide_config_test.lua
index d992203bc..bd285dad7 100644
--- a/test/unit/clusterwide_config_test.lua
+++ b/test/unit/clusterwide_config_test.lua
@@ -361,6 +361,22 @@ function g.test_save_err()
     t.assert_equals(utils.file_read(g.tempdir .. '/config'), '---\n...')
 end
 
+function g.test_relative_path_err()
+    write_tree({['config'] = '---\n...'})
+    local relative_path = '../../file'
+    local cfg = ClusterwideConfig.new({[relative_path] = 'content'})
+    local ok, err = ClusterwideConfig.save(cfg, g.tempdir .. '/config')
+    t.assert_equals(ok, nil)
+    t.assert_covers(err, {
+        class_name = 'SaveConfigError',
+        err = string.format(
+            "Relative paths in config is prohibited: %q",
+            relative_path
+        )
+    })
+    t.assert_equals(utils.file_read(g.tempdir .. '/config'), '---\n...')
+end
+
 function g.test_save_ok()
     local cfg = ClusterwideConfig.new()
     local ok, err = ClusterwideConfig.save(cfg, g.tempdir .. '/cfg1')