CVE-2026-32097 is an authorization bypass vulnerability identified in the PingPong platform, a tool leveraging large language models for educational purposes, developed by comppolicylab. The flaw arises from improper validation of user-controlled keys, classified under CWE-639, which allows authenticated users to circumvent intended access controls. Specifically, users with permission to view at least one thread can retrieve files outside their authorization scope, and those with permission to participate in a thread can delete files beyond their permitted boundaries. These files include sensitive user-uploaded content and outputs generated by the platform’s models, potentially exposing private data or causing data loss. The vulnerability does not require elevated privileges beyond basic authenticated access and thread permissions, nor does it require user interaction, making it relatively easy to exploit. The CVSS 4.0 score of 8.6 reflects high severity due to the network attack vector, low complexity, no required user interaction, and significant impact on confidentiality and integrity. The vulnerability affects all PingPong versions prior to 7.27.2, where the issue has been addressed. No known exploits have been reported in the wild as of the publication date, but the risk remains substantial given the nature of the flaw and the sensitivity of the data involved.

The primary impact of CVE-2026-32097 is unauthorized access and manipulation of sensitive data within the PingPong platform. Confidentiality is compromised as attackers can retrieve private user-uploaded files and model-generated outputs beyond their authorization, potentially exposing personal or proprietary information. Integrity is also at risk because attackers can delete files outside their permitted scope, leading to data loss and disruption of educational workflows. Availability impact is minimal as the vulnerability does not directly enable denial-of-service conditions. Organizations relying on PingPong for teaching and learning may face data breaches, loss of trust, and operational disruptions. The ease of exploitation by authenticated users with minimal permissions increases the threat level, especially in environments with many users and sensitive data. Without prompt patching, attackers could leverage this vulnerability to escalate access and cause significant harm to data confidentiality and integrity.

To mitigate CVE-2026-32097, organizations should immediately upgrade PingPong to version 7.27.2 or later, where the vulnerability is fixed. Until patching is possible, restrict user permissions to the minimum necessary, especially limiting thread view and participation rights to trusted users. Implement monitoring and alerting for unusual file access or deletion activities within the platform. Conduct regular audits of file access logs to detect potential unauthorized retrieval or deletion. Employ network segmentation and access controls to limit exposure of the PingPong platform to only authorized personnel. Additionally, review and strengthen authorization logic in custom integrations or extensions to prevent similar bypass issues. Educate users on the importance of safeguarding their credentials to prevent unauthorized authenticated access. Finally, maintain an incident response plan to quickly address any suspected exploitation.