Description
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
Published: 2026-03-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access and Deletion
Action: Apply Patch
AI Analysis

Impact

PingPong is a platform for teaching and learning with large language models (Key detail from CVE description). A flaw in its thread file endpoints allows an authenticated user to retrieve or delete files outside the intended authorization scope (Key detail from CVE description). This vulnerability could lead to retrieval or deletion of private files, including user‑uploaded files and model‑generated output files (Key detail from CVE description). The primary impact is unauthorized access and deletion of private data (Key detail from CVE description).

Affected Systems

Affected systems are installations of comppolicylab PingPong (CPE: cpe:2.3:a:harvard:pingpong) with versions prior to 7.27.2 (Key detail from CVE description).

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation (Key detail from SCORES). The vulnerability requires authentication and permission to view or participate in at least one thread, categorizing it as an authenticated web application vulnerability (Key detail from CVE description). Based on the description, it is inferred that the attack vector is a web application endpoint accessed by an authenticated user. This risk is not recorded in the CISA KEV catalog (Key detail from SCORES).

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PingPong version 7.27.2 or later (Key detail from CVE description).
  • Verify that all installations have been upgraded and no instances are running a vulnerable version (Key detail from CVE description).

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Harvard
Harvard pingpong
CPEs cpe:2.3:a:harvard:pingpong:*:*:*:*:*:*:*:*
Vendors & Products Harvard
Harvard pingpong
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Comppolicylab
Comppolicylab pingpong
Vendors & Products Comppolicylab
Comppolicylab pingpong

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
Title PingPong has improper access control in thread file endpoints allows access outside intended scope
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Comppolicylab Pingpong
Harvard Pingpong
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:50:51.551Z

Reserved: 2026-03-10T22:02:38.853Z

Link: CVE-2026-32097

cve-icon Vulnrichment

Updated: 2026-03-12T19:50:48.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:18.243

Modified: 2026-03-16T16:48:13.743

Link: CVE-2026-32097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:27Z

Weaknesses