Description
A vulnerability was detected in ComfyUI up to 0.13.0. This impacts the function get_model_preview of the file app/model_manager.py of the component Model Preview Endpoint. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Remote Path Traversal
Action: Patch
AI Analysis

Impact

The get_model_preview function in ComfyUI's app/model_manager.py contains a path traversal flaw that allows an attacker to craft a request to the Model Preview Endpoint and read arbitrary files from the server's filesystem. This vulnerability can be exploited remotely without authentication, potentially exposing sensitive data or configuration files. The weakness is described by CWE-22.

Affected Systems

ComfyUI versions up to and including 0.13.0 are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. An attacker can exploit the flaw remotely by sending a crafted request to the Model Preview Endpoint, leveraging the path traversal to access files outside the intended directory. Although authentication is not required, the exploit is limited to files accessible by the application process. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on April 20, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a ComfyUI release newer than 0.13.0 that incorporates the path‑traversal fix.
  • Restrict external access to the Model Preview Endpoint using firewall rules or network segmentation to limit exposure.
  • Monitor server logs for unusual preview requests or attempts to access unexpected file paths.

Generated by OpenCVE AI on April 20, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in ComfyUI up to 0.13.0. This impacts the function get_model_preview of the file app/model_manager.py of the component Model Preview Endpoint. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ComfyUI Model Preview Endpoint model_manager.py get_model_preview path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T00:45:11.883Z

Reserved: 2026-04-19T09:43:49.979Z

Link: CVE-2026-6590

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T01:16:31.673

Modified: 2026-04-20T01:16:31.673

Link: CVE-2026-6590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T02:30:41Z

Weaknesses