CVE-2026-6591 - Vulnerability Details

- ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal

Description

A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability appears in the LoadImage Node of ComfyUI when the function folder_paths.get_annotated_filepath receives a manipulated Name argument. The manipulation enables path traversal, allowing a remote attacker to access files outside the intended directory. Because the exploit is publicly available and remote exploitation is possible, the attacker can read arbitrary files on the system, potentially exposing confidential data or credentials. The weakness is identified as CWE‑22, which denotes path traversal flaws that lead to confidentiality compromise.

Affected Systems

All installations of ComfyUI 0.13.0 and earlier are affected. This includes the default build of the LoadImage Node that uses the folder_paths.py component. No specific micro‑versions beyond 0.13.0 are listed as affected, so any version prior to or equal to 0.13.0 should be considered at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is currently unavailable, but the presence of a public exploit and the known remote attack vector raise concern for active exploitation in the field. The vulnerability is not listed in the CISA KEV catalog yet; however, the attacker can achieve significant impact by reading arbitrary files, which could lead to further compromise if sensitive data is accessed. The attack can be executed remotely by invoking the LoadImage Node with a crafted Name parameter over the network interface that the ComfyUI instance exposes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ComfyUI

affected

Version	Status	Constraints
`0.1`	affected	—
`0.2`	affected	—
`0.3`	affected	—
`0.4`	affected	—
`0.5`	affected	—
`0.6`	affected	—
`0.7`	affected	—
`0.8`	affected	—
`0.9`	affected	—
`0.10`	affected	—
`0.11`	affected	—
`0.12`	affected	—
`0.13.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s published patch or upgrade to a version newer than 0.13.0. If no official update is available, request a fix from the maintainers of the project.
Limit the API entry point that allows the LoadImage Node to be accessed to trusted users only, and apply network segmentation so that only intended hosts can reach the ComfyUI instance.
Configure file system controls so that the user running ComfyUI cannot read system files outside the intended content directories, thereby limiting exposure even if path traversal is attempted.
Audit access logs for suspicious request patterns that include non‑standard characters such as "..", "../", or other path traversal indicators, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 20, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333
https://vuldb.com/submit/791112
https://vuldb.com/vuln/358226
https://vuldb.com/vuln/358226/cti

History

Mon, 20 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal
Weaknesses		CWE-22
References		https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333 https://vuldb.com/submit/791112 https://vuldb.com/vuln/358226 https://vuldb.com/vuln/358226/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T01:00:18.496Z

Updated: 2026-04-20T01:00:18.496Z

Reserved: 2026-04-19T09:44:01.638Z

Link: CVE-2026-6591

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T01:16:31.870

Modified: 2026-04-20T01:16:31.870

Link: CVE-2026-6591

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T03:00:09Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object