CVE-2026-8757 - Vulnerability Details

- adenhq hive Delete Request routes_sessions.py _read_events_tail path traversal

Description

A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-17

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A path‑traversal flaw exists in the _read_events_tail function of the Delete Request Handler in adenhq Hive. The flaw allows an attacker to manipulate a request to reference arbitrary files on the host, potentially exposing sensitive data. The vulnerability is identified as CWE‑22 and can be triggered remotely, after which the attacker can read any file the application user can access.

Affected Systems

All installations of adenhq Hive up to and including version 0.11.0 are affected. The exposed code resides in core/framework/server/routes_sessions.py within the Delete Request component. No other products or versions are listed. Administrators of environments running these versions should verify deployment and seek remediation.

Risk and Exploitability

The CVSS v3.1 score is 6.9, indicating a moderate severity. EPSS is not available, and the vulnerability is not in the CISA KEV catalog, suggesting low to moderate exploitation activity. Because the attack vector is inferred to be remote, an attacker could issue a crafted request to the Delete endpoint to read arbitrary files if the server does not enforce strict path validation. Until a patch is applied, the risk remains at the stated moderate level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

adenhq

hive

affected

Version	Status	Constraints
`0.1`	affected	—
`0.2`	affected	—
`0.3`	affected	—
`0.4`	affected	—
`0.5`	affected	—
`0.6`	affected	—
`0.7`	affected	—
`0.8`	affected	—
`0.9`	affected	—
`0.10`	affected	—
`0.11.0`	affected	—

No data.

Vendor Product Confidence Versions

Adenhq

Hive

100%

Version	Status	Scheme	Platform
`0.1`	affected	generic	—
`0.2`	affected	generic	—
`0.3`	affected	generic	—
`0.4`	affected	generic	—
`0.5`	affected	generic	—
`0.6`	affected	generic	—
`0.7`	affected	generic	—
`0.8`	affected	generic	—
`0.9`	affected	generic	—
`0.10`	affected	generic	—
`0.11.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade adenhq Hive to a version newer than 0.11.0 or apply the vendor‑issued patch that addresses the path‑traversal in the Delete Request Handler.
If an upgrade is not immediately possible, block external access to the Delete Request endpoint (e.g., via firewall or application‑level rules) to prevent remote exploitation.
Configure the application to enforce strict path canonicalization and reject any file paths that contain traversal sequences before passing them to the filesystem, following best practices for avoiding CWE‑22 vulnerabilities.

Generated by OpenCVE AI on May 17, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/ff3ff201b05d13d41f949f86e9187bd2
https://vuldb.com/submit/811276
https://vuldb.com/vuln/364384
https://vuldb.com/vuln/364384/cti

History

Sun, 17 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		adenhq hive Delete Request routes_sessions.py _read_events_tail path traversal
First Time appeared		Adenhq Adenhq hive
Weaknesses		CWE-22
CPEs		cpe:2.3:a:adenhq:hive::::::::
Vendors & Products		Adenhq Adenhq hive
References		https://gist.github.com/YLChen-007/ff3ff201b05d13d41f949f86e9187bd2 https://vuldb.com/submit/811276 https://vuldb.com/vuln/364384 https://vuldb.com/vuln/364384/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Adenhq Hive

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-17T13:15:09.780Z

Updated: 2026-05-17T13:15:09.780Z

Reserved: 2026-05-16T17:39:06.425Z

Link: CVE-2026-8757

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-17T14:16:21.380

Modified: 2026-05-17T14:16:21.380

Link: CVE-2026-8757

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-17T16:59:48Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object