Description
Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.
Published: 2026-03-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper input validation potentially enabling unauthorized directory access within Open OnDemand Files application
Action: Immediate Upgrade
AI Analysis

Impact

The Files application in Open OnDemand is vulnerable to an input validation flaw when navigating to a directory. According to the advisory, malicious directory names are not neutralized properly, leaving the application susceptible to processing of untrusted input. This weakness, classified as CWE‑74, could enable an attacker to influence the file system handling logic, potentially exposing sensitive resources or causing unintended behavior.

Affected Systems

OSC: Open OnDemand is affected. Versions prior to 4.0.9 for the 4.x series and prior to 4.1.3 for the 4.1.x series remain vulnerable. Upgrading to 4.0.9 or 4.1.3 applies the fix; any lower version should be considered susceptible.

Risk and Exploitability

The CVSS score of 6.3 signals a moderate severity. The EPSS score of less than 1 % indicates that, at the time of analysis, the likelihood of exploitation is very low, and the vulnerability is currently not listed in the CISA KEV catalog. The flaw can be triggered via the web interface when a user submits a path in the Files application, but no specific authentication requirements are disclosed. In the absence of known exploits, the immediate risk remains moderate; however, organizations should prioritize remediation to eliminate the potential attack surface.

Generated by OpenCVE AI on April 16, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Open OnDemand to version 4.0.9 or 4.1.3, depending on your release line.
  • If an immediate update is not possible, restrict access to the Files application to authenticated, trusted users only and monitor directory traversal patterns for anomalous activity.
  • Implement server‑side validation or sanitization of directory names in the application logic to ensure that input paths are properly neutralized before use.

Generated by OpenCVE AI on April 16, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osc:open_ondemand:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Osc
Osc open Ondemand
Vendors & Products Osc
Osc open Ondemand

Wed, 04 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.
Title OnDemand susceptible to malicious input when navigating to a directory.
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Osc Open Ondemand
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:42:15.933Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-26002

cve-icon Vulnrichment

Updated: 2026-03-05T15:32:45.785Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T23:16:09.980

Modified: 2026-03-18T16:09:26.400

Link: CVE-2026-26002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses