Executive Summary

CVE-2026-22777 is a high-severity CRLF Injection vulnerability in ComfyUI-Manager's configuration handler. Before versions 3.39.2 and 4.0.5, an attacker could inject special characters like carriage return, newline, or null characters into HTTP query parameters. This allowed them to add arbitrary configuration values to the config.ini file, potentially tampering with security settings or altering the application's behavior. The vulnerability arises from improper input sanitization in the ConfigParser component. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to modify the application's configuration by injecting arbitrary values into the config.ini file remotely, especially if the ComfyUI-Manager is run with the --listen option enabled. This can lead to tampering with security settings or changing how the application behaves, potentially compromising the integrity of the system without requiring any privileges or user interaction. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the ComfyUI-Manager service, especially those containing suspicious special characters such as carriage return (\r), newline (\n), or null (\x00) characters in query parameters. Look for HTTP requests targeting the /snapshot/remove or /snapshot/restore endpoints with unusual or malformed 'target' parameters that might attempt path traversal sequences like '..', '/' or '\\'. Commands to detect such attempts could include using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and grep or filter for suspicious patterns. For example, using tcpdump: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'target=.*(\r|\n|\x00|\.\.|/|\\)' or using web server logs to search for suspicious query parameters with: grep -E 'target=.*(\r|\n|\x00|\.\.|/|\\)' /path/to/access.log. Additionally, checking the config.ini file for unexpected or unauthorized configuration entries can indicate exploitation attempts. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade ComfyUI-Manager to version 3.39.2 or later (for the v3.x branch) or 4.0.5 or later (for the v4.x branch), where the issue has been patched. The fix includes input sanitization that removes carriage return, newline, and null characters from configuration inputs and validation of snapshot file paths to prevent path traversal. If upgrading is not immediately possible, restrict network access to the ComfyUI-Manager service, especially disabling or limiting the --listen option to prevent remote exploitation. Monitor and block suspicious HTTP requests targeting the vulnerable endpoints (/snapshot/remove and /snapshot/restore) with malformed query parameters. Review and clean the config.ini file for any unauthorized changes. [1, 2]

Useful 0 Not Useful 0