CVE-2026-32097
Received Received - Intake
Unauthorized File Access and Deletion in PingPong LLM Platform

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32097
EUVD
EUVD-2026-11338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
harvard pingpong to 7.27.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32097 is a high-severity improper access control vulnerability in the PingPong Server (versions up to 7.27.1) affecting thread file endpoints.

Authenticated users with permission to view at least one thread can exploit this flaw to retrieve files outside their authorized scope, including private user-uploaded files and model-generated output files.

Additionally, users with permission to participate in at least one thread can delete files beyond their intended scope.

The vulnerability arises from insufficient authorization checks, allowing unauthorized access or deletion by manipulating thread file endpoints.

This issue was fixed in version 7.27.2 by implementing improved validation and stricter message-scoped access controls.

Impact Analysis

This vulnerability can lead to unauthorized retrieval or deletion of private files, including user-uploaded files and model-generated output files.

An attacker who is an authenticated user with minimal thread permissions can access or delete files outside their intended authorization scope.

The impact includes high confidentiality and integrity risks due to unauthorized file access and deletion.

There is no impact on availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper access control on thread file endpoints in PingPong Server versions up to 7.27.1, allowing authenticated users with minimal thread permissions to retrieve or delete files outside their authorization scope.

Detection would involve monitoring or testing access to thread file download, image download, and file deletion endpoints to verify if unauthorized retrieval or deletion is possible.

No specific detection commands or automated detection tools are provided in the available information.

A practical approach could be to attempt authenticated requests to these endpoints with a user account having minimal thread permissions and observe if files outside the authorized scope can be accessed or deleted.

Mitigation Strategies

The primary mitigation step is to upgrade the PingPong Server to version 7.27.2 or later, where the vulnerability has been fixed by implementing improved validation and stricter message-scoped access controls.

If upgrading immediately is not possible, restrict access to the thread file download, image download, and file deletion endpoints to prevent exploitation.

No other workarounds are known according to the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart