CVE-2026-56138: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ail-project ail-framework
AIL framework versions prior to 6.8.0 contain a path traversal vulnerability in the /objects/item/diff endpoint. Authenticated users could exploit this by supplying crafted item identifiers with path traversal sequences, causing the application to read unauthorized gzip-compressed files accessible to the AIL process. The vulnerability arises because the endpoint did not verify the existence of both referenced items before accessing their contents. This issue was fixed by adding validation to ensure both items exist before access.
AI Analysis
Technical Summary
CVE-2026-56138 is a path traversal vulnerability (CWE-22) in the ail-framework's /objects/item/diff endpoint. The endpoint accepts item identifiers via s1 and s2 query parameters but previously failed to verify that these items existed as valid AIL objects before reading their contents. An authenticated user could exploit this flaw by crafting item identifiers containing path traversal sequences, enabling unauthorized reading of gzip-compressed files readable by the application. The vulnerability was addressed by implementing validation checks confirming the existence of both requested items prior to content access.
Potential Impact
Exploitation allows an authenticated user to cause the application to read and disclose local gzip-compressed files accessible to the AIL process. This leads to unauthorized disclosure of local file contents limited to files readable by the application and compatible with the expected gzip format. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, and limited confidentiality impact.
Mitigation Recommendations
A fix is available in ail-framework version 6.8.0 and later, which adds validation to ensure both requested items exist before their contents are accessed. Users should upgrade to version 6.8.0 or later to remediate this vulnerability. No vendor advisory or official patch link is provided, so verify with the vendor for the latest remediation guidance.
CVE-2026-56138: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ail-project ail-framework
Description
AIL framework versions prior to 6.8.0 contain a path traversal vulnerability in the /objects/item/diff endpoint. Authenticated users could exploit this by supplying crafted item identifiers with path traversal sequences, causing the application to read unauthorized gzip-compressed files accessible to the AIL process. The vulnerability arises because the endpoint did not verify the existence of both referenced items before accessing their contents. This issue was fixed by adding validation to ensure both items exist before access.
CVSS v4.0
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56138 is a path traversal vulnerability (CWE-22) in the ail-framework's /objects/item/diff endpoint. The endpoint accepts item identifiers via s1 and s2 query parameters but previously failed to verify that these items existed as valid AIL objects before reading their contents. An authenticated user could exploit this flaw by crafting item identifiers containing path traversal sequences, enabling unauthorized reading of gzip-compressed files readable by the application. The vulnerability was addressed by implementing validation checks confirming the existence of both requested items prior to content access.
Potential Impact
Exploitation allows an authenticated user to cause the application to read and disclose local gzip-compressed files accessible to the AIL process. This leads to unauthorized disclosure of local file contents limited to files readable by the application and compatible with the expected gzip format. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, and limited confidentiality impact.
Mitigation Recommendations
A fix is available in ail-framework version 6.8.0 and later, which adds validation to ensure both requested items exist before their contents are accessed. Users should upgrade to version 6.8.0 or later to remediate this vulnerability. No vendor advisory or official patch link is provided, so verify with the vendor for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CIRCL
- Date Reserved
- 2026-06-19T08:03:52.032Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3510cef198dc38c1f1cdbb
Added to database: 6/19/2026, 9:50:06 AM
Last enriched: 6/19/2026, 10:05:08 AM
Last updated: 6/19/2026, 4:12:07 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.