CVE-2026-40086
Path Traversal in Rembg HTTP Server Allows Arbitrary File Access
Publication date: 2026-04-10
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| danielgatis | rembg | to 2.0.75 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40086 is a path traversal vulnerability in the rembg HTTP server (versions prior to 2.0.75) that allows unauthenticated remote attackers to read arbitrary files on the server's filesystem.
The vulnerability occurs because the server accepts a JSON parameter called "model_path" without proper validation or sanitization. Attackers can send crafted requests specifying arbitrary file paths, causing the server to attempt loading those files as ONNX models.
This leads to information disclosure through error messages that reveal whether files exist, their permissions, and potentially their contents.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely and without authentication read arbitrary files on your server running the rembg HTTP server.
- Attackers can enumerate sensitive files such as system files (/etc/passwd), configuration files, and credential files.
- It can lead to information disclosure, credential discovery, and infrastructure mapping.
- Attackers might cause denial of service by forcing the server to load large files, exhausting resources.
- All users running rembg in HTTP server mode, including cloud and Docker deployments exposing the API, are affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests to the vulnerable rembg HTTP server's API endpoint and observing the server's error responses.
Specifically, you can run the rembg server in vulnerable mode (versions β€ 2.0.69) and send POST requests to the `/api/remove` endpoint with the `extras` JSON parameter containing a malicious `model_path` value pointing to sensitive or arbitrary files.
Example commands using curl to test for the vulnerability include:
- Start the vulnerable rembg server: `rembg s --host 0.0.0.0 --port 7000`
- Send a POST request with a malicious model_path to check for file existence or read permissions:
- ```bash curl -X POST "http://localhost:7000/api/remove?extras={\"model_path\":\"/etc/passwd\"}" -H "Content-Type: application/json" ```
- Interpret the server's error messages in the response or logs:
- - "Load model from /etc/passwd failed: Protobuf parsing failed" indicates the file exists and was read but is not a valid ONNX model.
- - "Load model from /nonexistent/file.txt failed: File doesn't exist" indicates the file does not exist.
- - Permission denied errors indicate the file exists but is not readable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade rembg to version 2.0.75 or later where the vulnerability is fixed.
If upgrading is not immediately possible, consider the following mitigation options:
- Disable custom model support in the HTTP API by filtering out model names ending with `_custom` from allowed models.
- If custom models must be supported, implement strict validation of the `model_path` parameter to ensure it resides only within an allowlist of safe directories (e.g., `~/.u2net`, `/app/models`).
- Do not expose the rembg HTTP server directly to the internet. Use reverse proxies with authentication and network access controls.
- Monitor server logs for suspicious requests attempting to exploit the `model_path` parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server's filesystem, potentially exposing sensitive information such as configuration files, credentials, and system files.
This unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.
Organizations using vulnerable versions of rembg in HTTP server mode may risk violating confidentiality requirements mandated by these standards due to the potential exposure of sensitive files.
Mitigations such as disabling custom model support in the HTTP API, validating model paths strictly, and restricting server exposure are recommended to reduce the risk and help maintain compliance.