Skip to main content

Comfyui EUVD-2026-23735

| CVE-2026-6591 LOW
Path Traversal (CWE-22)
2026-04-20 VulDB
Path Traversal Comfyui
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 20, 2026 - 01:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 01:18 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 01:15 euvd
EUVD-2026-23735
Analysis Generated
Apr 20, 2026 - 01:15 vuln.today
CVE Published
Apr 20, 2026 - 01:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in ComfyUI up to version 0.13.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the Name argument in the LoadImage Node's folder_paths.get_annotated_filepath function. The vulnerability has publicly available exploit code and affects the image loading functionality, enabling attackers with valid credentials to access sensitive files outside intended directories.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain valid ComfyUI credentials or compromise existing user account
Delivery
Authenticate to ComfyUI instance
Exploit
Access LoadImage Node interface
Install
Inject path traversal sequence in Name parameter
C2
Send crafted request to folder_paths.get_annotated_filepath
Execute
Function resolves path outside intended directory
Impact
Attacker reads arbitrary file contents
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability requires authenticated access to a ComfyUI instance (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 4.3 reflects a low-to-moderate risk profile with a network attack vector, low complexity, and low privileges required (PR:L), limiting scope to the confidentiality of files. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user or attacker with valid ComfyUI credentials crafts a malicious request to the LoadImage Node, injecting a path traversal sequence (e.g., '../../../etc/passwd') into the Name argument. The vulnerable folder_paths.get_annotated_filepath function fails to sanitize this input and resolves the path to a sensitive file outside the intended image directory, allowing the attacker to read the file contents and exfiltrate sensitive data such as configuration files, API keys, or source code.
Remediation Upgrade ComfyUI to a version newer than 0.13.0 once a patched release is available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23735 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy