CVE-2026-6589

| EUVD-2026-23731 MEDIUM
2026-04-20 VulDB
CSRF
5.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS Changed
Apr 20, 2026 - 01:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 01:18 vuln.today

DescriptionNVD

A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site request forgery (CSRF) in ComfyUI up to version 0.13.0 allows unauthenticated remote attackers to modify application state via crafted requests to the create_origin_only_middleware function in server.py. The vulnerability requires user interaction (clicking a malicious link or visiting an attacker-controlled site) but has low integrity impact and is publicly exploitable with proof-of-concept code available. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6589 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy