CVE-2026-26002
Received Received - Intake
Directory Traversal Vulnerability in Open OnDemand Files Application

Publication date: 2026-03-04

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26002
EUVD
EUVD-2026-9500
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
osc open_ondemand to 3.1.16 (exc)
osc open_ondemand From 4.0.0 (inc) to 4.0.9 (exc)
osc open_ondemand From 4.1.0 (inc) to 4.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Files application of Open OnDemand versions prior to 4.0.9 and 4.1.3. It is caused by the application being susceptible to malicious input when navigating to a directory. This means that an attacker could potentially exploit the way the application handles directory navigation inputs to cause unintended behavior or compromise.

This issue has been fixed in versions 4.0.9 and 4.1.3, so only versions below these remain vulnerable.

Impact Analysis

Exploitation of this vulnerability could allow an attacker to leverage malicious input during directory navigation to potentially disrupt the application or gain unauthorized access or control within the Open OnDemand portal environment.

Given the CVSS base score of 6.3, the impact is considered moderate, indicating that the vulnerability could lead to significant but not critical consequences if exploited.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Open OnDemand to version 4.0.9 or 4.1.3 or later, as these versions contain the patch that fixes the issue.

Versions prior to 4.0.9 and 4.1.3 remain susceptible, so running those versions should be avoided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart