Skip to main content

Pathway EUVDEUVD-2026-41425

| CVE-2026-59094 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-02 VulnCheck GHSA-22xx-xg3v-m8g7
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated endpoint (AV:N/PR:N), trivially crafted pattern (AC:L), no confidentiality or integrity impact and no scope change, availability fully impacted (A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:32 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
7.5 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or -count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.

AnalysisAI

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed document store endpoint
Delivery
Craft short glob with many ** tokens
Exploit
POST to /v1/retrieve or /v2/answer
Execution
Trigger exponential recursive matching per document
Persist
Repeat few requests to exhaust CPU
Impact
Service denied to legitimate users

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Pathway document store's HTTP API - specifically the /v1/retrieve, /v1/inputs or /v2/answer endpoints - is network-reachable by the attacker; no authentication is needed (PR:N) and the endpoints accept an attacker-controlled filepath_globpattern in the request body with no length or **-count limit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine, easily-triggered availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an exposed Pathway document store sends a small POST to /v1/retrieve (or /v1/inputs or /v2/answer) whose body sets filepath_globpattern to a short string containing many ** tokens. The custom recursive matcher evaluates this pattern against every indexed document, burning tens of seconds of CPU per request; a few concurrent requests saturate the workers and deny service to legitimate users. …
Remediation Upstream fix available (commit d09722e via PR #250); a released patched version number is not independently confirmed from the provided data, so upgrade to the first tagged Pathway release that includes commit d09722eef03fd94bba701836eb4c7fbfa3d3b88e (verify against the repository beyond 0.31.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Pathway deployments (versions through 0.31.1), monitor /v1/retrieve, /v1/inputs, and /v2/answer endpoints for suspicious glob pattern requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy