Skip to main content

AIL Framework CVE-2026-56138

| EUVDEUVD-2026-37998 MEDIUM
Path Traversal (CWE-22)
2026-06-19 CIRCL GHSA-jmhf-2rhf-v8gj
5.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable via web interface (AV:N), low complexity (AC:L), requires authenticated session (PR:L), no user interaction; limited confidentiality impact only (gzip-readable files); no integrity or availability impact; scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 10:01 vuln.today
Analysis Generated
Jun 19, 2026 - 10:01 vuln.today

DescriptionCVE.org

AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects.

An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format.

The issue was fixed by validating that both requested items exist before their contents are accessed.

AnalysisAI

Path traversal in AIL Framework's /objects/item/diff endpoint exposes gzip-compressed server-side files to authenticated users. The Flask blueprint route in var/www/blueprints/objects_item.py accepted arbitrary item identifiers via s1 and s2 query parameters and attempted to read and compare their contents without first verifying they resolved to legitimate AIL objects, enabling directory traversal sequences to escape the items directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid AIL user credentials
Delivery
Authenticate to AIL web interface
Exploit
Craft path traversal string for s1 (and optionally s2) parameter
Execution
Send GET request to /objects/item/diff endpoint
Persist
Server reads target gzip-compressed file from traversed path
Impact
Attacker receives disclosed file contents in diff response

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated session on the AIL Framework web interface - the CVSS PR:L metric confirms authentication is mandatory and unauthenticated access is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, score 5.3) accurately characterizes the threat: network-reachable, low complexity, low privilege required, limited confidentiality impact, no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated AIL user sends a crafted GET request such as `GET /objects/item/diff?s1=../../var/log/somefile.gz&s2=<known_valid_item>` to the AIL web interface, causing the server to resolve the traversal sequence and read a gzip-compressed file outside the AIL items directory. The server decompresses and returns the file's contents as part of the diff response, disclosing potentially sensitive data. …
Remediation Apply the upstream fix by updating AIL Framework to a version that includes commit `074f9a432702d39d7f8db07ece3a11502cf36d73`, available at https://github.com/ail-project/ail-framework/commit/074f9a432702d39d7f8db07ece3a11502cf36d73; no specifically tagged release version has been confirmed from available data, so verify with the upstream repository for a stable release incorporating this change. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy