Skip to main content

NLTK CVE-2026-0847

HIGH
Path Traversal (CWE-22)
2026-03-04 security@huntr.dev GHSA-68j8-pq59-fqgm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 28, 2026 - 00:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 00:37 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 00:37 NVD
8.6 (HIGH) 7.5 (HIGH)
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 04, 2026 - 19:16 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 pypi packages depend on nltk (15 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.9.2.

DescriptionNVD

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.

AnalysisAI

Path traversal in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows remote unauthenticated attackers to read arbitrary files from the server hosting NLP applications. Multiple CorpusReader classes (WordListCorpusReader, TaggedCorpusReader, BracketParseCorpusReader) fail to sanitize file paths, enabling directory traversal to access sensitive files including SSH keys, API tokens, and system configurations. This poses critical risk in machine learning APIs, chatbots, and NLP pipelines that process user-controlled file inputs. EPSS score of 0.25% (48th percentile) suggests low widespread exploitation probability despite public disclosure via huntr.com bounty, though the unauthenticated network vector (AV:N/PR:N) and zero attack complexity make this readily exploitable once targets are identified.

Technical ContextAI

NLTK (Natural Language Toolkit) is a widely-used Python library for natural language processing and computational linguistics. The vulnerability affects CorpusReader classes responsible for loading and parsing linguistic corpora from the filesystem. The root cause (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from inadequate validation of file path parameters passed to these reader classes. Attackers can inject path traversal sequences (e.g., '../../../etc/passwd') in filenames or corpus identifiers, bypassing intended directory restrictions. The affected component cpe:2.3:a:nltk:nltk operates in many production environments as a backend service for text analysis, sentiment analysis, tokenization, and machine learning model preprocessing, making file system access controls critical. The vulnerability exists in core data loading functions that directly interact with the operating system's file API without canonicalization or jail restrictions.

RemediationAI

Upgrade NLTK to version 3.9.3 or later where vendor patch is available (exact patched version should be confirmed from https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966 or official NLTK release notes). As immediate mitigation for systems that cannot upgrade, implement application-layer input validation to reject file paths containing traversal sequences ('..' components, absolute paths, symbolic links) before passing to CorpusReader classes - use allowlist validation restricting corpus names to alphanumeric identifiers mapped server-side to absolute paths. Deploy filesystem-level controls such as chroot jails, containers with read-only mounts, or AppArmor/SELinux policies restricting NLTK process file access to designated corpus directories only. Note that input filtering alone may be bypassed via encoding variations (URL encoding, Unicode normalization) so defense-in-depth with OS-level restrictions is essential. Monitor file access logs for unusual patterns indicating traversal attempts. If NLTK functionality is exposed via web APIs, ensure the API gateway enforces strict schema validation on corpus identifiers. Review application architecture to eliminate scenarios where user input directly controls file path parameters to NLTK functions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-0847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy