CVE-2026-6589
Received Received - Intake
Cross-Site Request Forgery in ComfyUI create_origin_only_middleware

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6589
EUVD
EUVD-2026-23731
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comfyui comfyui to 0.13.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ComfyUI up to version 0.13.0, specifically in the function create_origin_only_middleware within the file server.py. It allows an attacker to perform a cross-site request forgery (CSRF) attack, which can be initiated remotely.

Detection Guidance

This vulnerability can be detected by testing the ComfyUI instance for CSRF protection bypass using requests with the Origin header set to null. Specifically, sending HTTP requests with Origin: null to the ComfyUI server and observing if the requests are accepted (HTTP 200) instead of rejected (HTTP 403) indicates the vulnerability.

A proof of concept involves using curl commands to send requests with different Origin headers to the ComfyUI server at 127.0.0.1:8188. Normal cross-origin requests with a valid Origin are blocked, but requests with Origin: null bypass the CSRF protection.

  • curl -H "Origin: http://evil.com" -X POST http://127.0.0.1:8188/some_endpoint # Expected to be blocked (HTTP 403)
  • curl -H "Origin: null" -X POST http://127.0.0.1:8188/some_endpoint # Expected to bypass CSRF protection (HTTP 200)

Additionally, testing the ability to upload HTML files to the /userdata/ endpoint and then accessing them to check if the JavaScript executes can confirm the stored XSS aspect of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the ComfyUI service to trusted networks or localhost only, since the vulnerability requires the victim to access a malicious webpage that triggers the attack.

Avoid visiting untrusted or suspicious websites while ComfyUI is running locally, as the attack relies on the victim's browser acting as a proxy.

If possible, disable or restrict the /userdata/ endpoint to prevent uploading and serving of arbitrary HTML files that can execute JavaScript.

Monitor for updates or patches from the vendor, although none were available at the time of reporting.

Consider implementing additional network-level protections such as firewall rules to block external access to the ComfyUI port (default 8188).

Impact Analysis

The vulnerability enables an attacker to trick a user into executing unwanted actions on a web application in which they are authenticated. This can lead to unauthorized actions being performed without the user's consent.

Compliance Impact

The vulnerability in ComfyUI allows for cross-site request forgery (CSRF), which can lead to unauthorized actions being performed on behalf of authenticated users. Such security weaknesses can potentially impact compliance with standards like GDPR and HIPAA, which require protection of user data and secure handling of user interactions to prevent unauthorized access or manipulation.

However, the provided information does not specify direct effects or compliance implications related to GDPR, HIPAA, or other regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart