CVE-2026-40086
Received Received - Intake
Path Traversal in Rembg HTTP Server Allows Arbitrary File Access

Publication date: 2026-04-10

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious model_path parameter, an attacker can force the server to attempt loading any file as an ONNX model, revealing file existence, permissions, and potentially file contents through error messages. This vulnerability is fixed in 2.0.75.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40086
EUVD
EUVD-2026-21492
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
danielgatis rembg to 2.0.75 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40086 is a path traversal vulnerability in the rembg HTTP server (versions prior to 2.0.75) that allows unauthenticated remote attackers to read arbitrary files on the server's filesystem.

The vulnerability occurs because the server accepts a JSON parameter called "model_path" without proper validation or sanitization. Attackers can send crafted requests specifying arbitrary file paths, causing the server to attempt loading those files as ONNX models.

This leads to information disclosure through error messages that reveal whether files exist, their permissions, and potentially their contents.

Impact Analysis

This vulnerability can impact you by allowing attackers to remotely and without authentication read arbitrary files on your server running the rembg HTTP server.

  • Attackers can enumerate sensitive files such as system files (/etc/passwd), configuration files, and credential files.
  • It can lead to information disclosure, credential discovery, and infrastructure mapping.
  • Attackers might cause denial of service by forcing the server to load large files, exhausting resources.
  • All users running rembg in HTTP server mode, including cloud and Docker deployments exposing the API, are affected.
Detection Guidance

This vulnerability can be detected by sending crafted HTTP POST requests to the vulnerable rembg HTTP server's API endpoint and observing the server's error responses.

Specifically, you can run the rembg server in vulnerable mode (versions ≀ 2.0.69) and send POST requests to the `/api/remove` endpoint with the `extras` JSON parameter containing a malicious `model_path` value pointing to sensitive or arbitrary files.

Example commands using curl to test for the vulnerability include:

  • Start the vulnerable rembg server: `rembg s --host 0.0.0.0 --port 7000`
  • Send a POST request with a malicious model_path to check for file existence or read permissions:
  • ```bash curl -X POST "http://localhost:7000/api/remove?extras={\"model_path\":\"/etc/passwd\"}" -H "Content-Type: application/json" ```
  • Interpret the server's error messages in the response or logs:
  • - "Load model from /etc/passwd failed: Protobuf parsing failed" indicates the file exists and was read but is not a valid ONNX model.
  • - "Load model from /nonexistent/file.txt failed: File doesn't exist" indicates the file does not exist.
  • - Permission denied errors indicate the file exists but is not readable.
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade rembg to version 2.0.75 or later where the vulnerability is fixed.

If upgrading is not immediately possible, consider the following mitigation options:

  • Disable custom model support in the HTTP API by filtering out model names ending with `_custom` from allowed models.
  • If custom models must be supported, implement strict validation of the `model_path` parameter to ensure it resides only within an allowlist of safe directories (e.g., `~/.u2net`, `/app/models`).
  • Do not expose the rembg HTTP server directly to the internet. Use reverse proxies with authentication and network access controls.
  • Monitor server logs for suspicious requests attempting to exploit the `model_path` parameter.
Compliance Impact

The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server's filesystem, potentially exposing sensitive information such as configuration files, credentials, and system files.

This unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Organizations using vulnerable versions of rembg in HTTP server mode may risk violating confidentiality requirements mandated by these standards due to the potential exposure of sensitive files.

Mitigations such as disabling custom model support in the HTTP API, validating model paths strictly, and restricting server exposure are recommended to reduce the risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart