Skip to main content

Pathway

1 CVEs product

Monthly

CVE-2026-59094 HIGH POC PATCH This Week

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many ** tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each ** without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. Publicly available exploit code exists and a vendor patch (commit d09722e) is available; the flaw is not listed in CISA KEV.

Information Disclosure Pathway
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many ** tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each ** without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. Publicly available exploit code exists and a vendor patch (commit d09722e) is available; the flaw is not listed in CISA KEV.

Information Disclosure Pathway
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy