CVE-2026-32097
Unauthorized File Access and Deletion in PingPong LLM Platform
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| harvard | pingpong | to 7.27.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32097 is a high-severity improper access control vulnerability in the PingPong Server (versions up to 7.27.1) affecting thread file endpoints.
Authenticated users with permission to view at least one thread can exploit this flaw to retrieve files outside their authorized scope, including private user-uploaded files and model-generated output files.
Additionally, users with permission to participate in at least one thread can delete files beyond their intended scope.
The vulnerability arises from insufficient authorization checks, allowing unauthorized access or deletion by manipulating thread file endpoints.
This issue was fixed in version 7.27.2 by implementing improved validation and stricter message-scoped access controls.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized retrieval or deletion of private files, including user-uploaded files and model-generated output files.
An attacker who is an authenticated user with minimal thread permissions can access or delete files outside their intended authorization scope.
The impact includes high confidentiality and integrity risks due to unauthorized file access and deletion.
There is no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper access control on thread file endpoints in PingPong Server versions up to 7.27.1, allowing authenticated users with minimal thread permissions to retrieve or delete files outside their authorization scope.
Detection would involve monitoring or testing access to thread file download, image download, and file deletion endpoints to verify if unauthorized retrieval or deletion is possible.
No specific detection commands or automated detection tools are provided in the available information.
A practical approach could be to attempt authenticated requests to these endpoints with a user account having minimal thread permissions and observe if files outside the authorized scope can be accessed or deleted.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PingPong Server to version 7.27.2 or later, where the vulnerability has been fixed by implementing improved validation and stricter message-scoped access controls.
If upgrading immediately is not possible, restrict access to the thread file download, image download, and file deletion endpoints to prevent exploitation.
No other workarounds are known according to the available information.