CVE-2026-22777
Configuration Injection in ComfyUI-Manager Allows Security Setting Tampering
Publication date: 2026-01-10
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comfy-org | comfyui-manager | to 3.39.2 (exc) |
| comfy-org | comfyui-manager | From 4.0.0 (inc) to 4.0.5 (exc) |
| comfy-org | comfyui-manager | 3.39.2 |
| comfy-org | comfyui-manager | 4.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22777 is a high-severity CRLF Injection vulnerability in ComfyUI-Manager's configuration handler. Before versions 3.39.2 and 4.0.5, an attacker could inject special characters like carriage return, newline, or null characters into HTTP query parameters. This allowed them to add arbitrary configuration values to the config.ini file, potentially tampering with security settings or altering the application's behavior. The vulnerability arises from improper input sanitization in the ConfigParser component. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify the application's configuration by injecting arbitrary values into the config.ini file remotely, especially if the ComfyUI-Manager is run with the --listen option enabled. This can lead to tampering with security settings or changing how the application behaves, potentially compromising the integrity of the system without requiring any privileges or user interaction. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the ComfyUI-Manager service, especially those containing suspicious special characters such as carriage return (\r), newline (\n), or null (\x00) characters in query parameters. Look for HTTP requests targeting the /snapshot/remove or /snapshot/restore endpoints with unusual or malformed 'target' parameters that might attempt path traversal sequences like '..', '/' or '\\'. Commands to detect such attempts could include using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and grep or filter for suspicious patterns. For example, using tcpdump: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'target=.*(\r|\n|\x00|\.\.|/|\\)' or using web server logs to search for suspicious query parameters with: grep -E 'target=.*(\r|\n|\x00|\.\.|/|\\)' /path/to/access.log. Additionally, checking the config.ini file for unexpected or unauthorized configuration entries can indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade ComfyUI-Manager to version 3.39.2 or later (for the v3.x branch) or 4.0.5 or later (for the v4.x branch), where the issue has been patched. The fix includes input sanitization that removes carriage return, newline, and null characters from configuration inputs and validation of snapshot file paths to prevent path traversal. If upgrading is not immediately possible, restrict network access to the ComfyUI-Manager service, especially disabling or limiting the --listen option to prevent remote exploitation. Monitor and block suspicious HTTP requests targeting the vulnerable endpoints (/snapshot/remove and /snapshot/restore) with malformed query parameters. Review and clean the config.ini file for any unauthorized changes. [1, 2]