Description
A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in ANTLR4’s getImportedVocabFile function, where the supplied grammar option can reference files outside the intended directory. An attacker can craft a request that causes the runtime to resolve an absolute or relative file path, allowing traversal of the file system. The vulnerability can be exercised remotely, enabling the attacker to read arbitrary files on the host that runs ANTLR4. This presents a moderate threat to confidentiality as sensitive configuration or source files may be disclosed. The weakness is a classic CWE‑22 style path traversal.

Affected Systems

The issue affects the ANTLR4 grammar parser shipped by the antlr project, specifically versions up to and including 4.13.2. Any installation that uses the tokenVocab Grammar Option Handler and has the ability to accept external grammar definitions is susceptible. Exact version numbers beyond 4.13.2 are not listed; it is presumed that later releases have addressed the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate overall risk, with remote attack capabilities and the ability to read arbitrary files. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no current known exploitation campaigns. Attackers can exploit the flaw from a remote host that can send a crafted grammar definition; no local privilege escalation is required. The lack of a vendor‑issued fix underscores the importance of immediate remediation through upgrading or other mitigations.

Generated by OpenCVE AI on June 28, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ANTLR4 to a version newer than 4.13.2 once available, ensuring the path resolution logic has been patched.
  • If an immediate upgrade is not feasible, isolate the ANTLR4 runtime within a sandboxed environment and enforce strict file permissions so that only the intended directory can be accessed by the lexer/parser.
  • Validate or sanitize the grammar option input before it is passed to getImportedVocabFile, rejecting any path that attempts to navigate outside the designated directory.

Generated by OpenCVE AI on June 28, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title antlr ANTLR4 tokenVocab Grammar Option TokenVocabParser.java getImportedVocabFile path traversal
First Time appeared Antlr
Antlr antlr4
Weaknesses CWE-22
CPEs cpe:2.3:a:antlr:antlr4:*:*:*:*:*:*:*:*
Vendors & Products Antlr
Antlr antlr4
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Antlr Antlr4
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T15:15:07.671Z

Reserved: 2026-06-27T18:28:07.035Z

Link: CVE-2026-13503

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')