Description
A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in AIDC‑AI ComfyUI‑Copilot up to version 2.0.28 that affects the backend/controller/conversation_api.py module of the Workflow Checkpoint Restore Handler. The vulnerability enables an attacker to manipulate resource identifiers, thereby altering backend operation control flow and leading to improper handling of resources.

Affected Systems

AIDC‑AI ComfyUI‑Copilot, versions up to 2.0.28, specifically the Workflow Checkpoint Restore component accessed via the conversation_api.py endpoint.

Risk and Exploitability

The CVSS score of 2.3 classifies this issue as low severity. The CVE notes that an exploit has been published and may be used, and the attack can be performed remotely. High complexity is associated with the attack and exploitability is assessed as difficult, yet the EPSS score is not available, and the vulnerability is not listed in CISA KEV. Organizations should be aware that the vulnerability exists and may be attempted in the future, though overall risk remains low at this time.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of ComfyUI‑Copilot once it becomes available
  • Restrict remote access to the Workflow Checkpoint Restore endpoint or limit the privileges of users who can call it
  • Implement strict validation of resource identifiers, ensuring that only authorized IDs are accepted

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Title AIDC-AI ComfyUI-Copilot Workflow Checkpoint Restore conversation_api.py resource injection
First Time appeared Aidc-ai
Aidc-ai comfyui-copilot
Weaknesses CWE-99
CPEs cpe:2.3:a:aidc-ai:comfyui-copilot:*:*:*:*:*:*:*:*
Vendors & Products Aidc-ai
Aidc-ai comfyui-copilot
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aidc-ai Comfyui-copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:37:47.799Z

Reserved: 2026-06-27T17:03:08.476Z

Link: CVE-2026-13493

cve-icon Vulnrichment

Updated: 2026-06-29T12:34:59.902Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T17:45:16Z

Weaknesses
  • CWE-99

    Improper Control of Resource Identifiers ('Resource Injection')