Description
A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch
AI Analysis

Impact

ComfyUI releases through version 0.13.0 contain a flaw in the create_origin_only_middleware function defined in server.py. The function fails to enforce the proper origin header check, allowing an attacker to craft HTTP requests that are treated as if they originated from an authorized source. Consequently, a remote user can perform actions on the server with the privileges of the victim’s session, leading to cross‑site request forgery.

Affected Systems

The vulnerability impacts any installation of ComfyUI that includes the unpatched create_origin_only_middleware implementation, i.e., versions up to and including 0.13.0. The affected product is the ComfyUI application, and the vendor is listed as n/a:ComfyUI.

Risk and Exploitability

The CVSS score of 5.3 denotes a moderate risk, and the EPSS score is unavailable while the vulnerability is not listed in CISA KEV. A remote attacker can exploit the flaw by sending forged requests; the presence of missing authorization checks (CWE‑862) coupled with the CSRF weakness (CWE‑352) means that if the victim is authenticated, the attacker can cause the server to perform privileged operations on their behalf. No public exploit has been recorded, but the vulnerability is remotely exploitable and can lead to credential misuse or unauthorized actions.

Generated by OpenCVE AI on April 20, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ComfyUI 0.13.1 or later, where the create_origin_only_middleware issue has been addressed.
  • If upgrading is not feasible, disable the create_origin_only_middleware functionality or limit its operation to a strict list of allowed origins in the server configuration.
  • Enforce authentication on all relevant endpoints and use CSRF tokens or same‑site cookie restrictions to ensure that requests cannot be forged from untrusted domains.

Generated by OpenCVE AI on April 20, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ComfyUI server.py create_origin_only_middleware cross-site request forgery
Weaknesses CWE-352
CWE-862
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T00:30:21.353Z

Reserved: 2026-04-19T09:43:46.428Z

Link: CVE-2026-6589

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T01:16:31.477

Modified: 2026-04-20T01:16:31.477

Link: CVE-2026-6589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T02:30:41Z

Weaknesses