CVE-2026-26002 is an injection vulnerability classified under CWE-74, affecting the Files application component of Open OnDemand, an open-source high-performance computing (HPC) portal. The vulnerability arises from improper neutralization of special elements in output that is subsequently processed by a downstream component. Specifically, when users navigate directories within the Files application in versions prior to 4.0.9 and between 4.1.0 and 4.1.3, maliciously crafted input can be injected, potentially leading to unintended command execution or manipulation of system behavior. This vulnerability does not require user interaction and can be exploited remotely over the network with low privileges, increasing its risk profile. The CVSS 4.0 base score is 6.3, reflecting medium severity, with high impact on confidentiality, integrity, and availability, but no scope change or authentication bypass. The issue has been addressed in versions 4.0.9 and 4.1.3 by implementing proper input validation and output encoding to neutralize special characters before they reach downstream components. No public exploits or active exploitation have been reported to date, but the vulnerability poses a risk to HPC environments relying on affected Open OnDemand versions.

The vulnerability could allow attackers to inject malicious input that downstream components interpret in unintended ways, potentially leading to unauthorized access, data leakage, or disruption of HPC portal services. This can compromise confidentiality by exposing sensitive HPC data or user information, integrity by altering data or commands, and availability by causing service interruptions or crashes. Given Open OnDemand's role as a gateway to HPC resources, exploitation could also facilitate lateral movement within HPC clusters or escalate privileges indirectly. Organizations relying on vulnerable versions may face operational disruptions, data breaches, or loss of trust from research partners. The lack of required user interaction and network accessibility increases the likelihood of exploitation attempts, especially in environments with exposed HPC portals.

Organizations should immediately upgrade Open OnDemand installations to versions 4.0.9 or 4.1.3 or later to apply the official patches. In addition to patching, implement strict input validation and output encoding on all user-supplied data, especially directory navigation inputs, to prevent injection of special characters. Employ network segmentation and firewall rules to restrict access to HPC portals to trusted users and networks. Monitor logs for unusual directory navigation patterns or injection attempts. Conduct regular security assessments and code reviews focusing on input handling in web applications. Consider deploying web application firewalls (WAFs) with custom rules to detect and block injection payloads targeting this vulnerability. Maintain an incident response plan tailored for HPC environments to quickly address potential exploitation.