CVE-2026-6589
Cross-Site Request Forgery in ComfyUI create_origin_only_middleware
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comfyui | comfyui | to 0.13.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the ComfyUI instance for CSRF protection bypass using requests with the Origin header set to null. Specifically, sending HTTP requests with Origin: null to the ComfyUI server and observing if the requests are accepted (HTTP 200) instead of rejected (HTTP 403) indicates the vulnerability.
A proof of concept involves using curl commands to send requests with different Origin headers to the ComfyUI server at 127.0.0.1:8188. Normal cross-origin requests with a valid Origin are blocked, but requests with Origin: null bypass the CSRF protection.
- curl -H "Origin: http://evil.com" -X POST http://127.0.0.1:8188/some_endpoint # Expected to be blocked (HTTP 403)
- curl -H "Origin: null" -X POST http://127.0.0.1:8188/some_endpoint # Expected to bypass CSRF protection (HTTP 200)
Additionally, testing the ability to upload HTML files to the /userdata/ endpoint and then accessing them to check if the JavaScript executes can confirm the stored XSS aspect of the vulnerability.
Can you explain this vulnerability to me?
This vulnerability exists in ComfyUI up to version 0.13.0, specifically in the function create_origin_only_middleware within the file server.py. It allows an attacker to perform a cross-site request forgery (CSRF) attack, which can be initiated remotely.
How can this vulnerability impact me? :
The vulnerability enables an attacker to trick a user into executing unwanted actions on a web application in which they are authenticated. This can lead to unauthorized actions being performed without the user's consent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ComfyUI allows for cross-site request forgery (CSRF), which can lead to unauthorized actions being performed on behalf of authenticated users. Such security weaknesses can potentially impact compliance with standards like GDPR and HIPAA, which require protection of user data and secure handling of user interactions to prevent unauthorized access or manipulation.
However, the provided information does not specify direct effects or compliance implications related to GDPR, HIPAA, or other regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the ComfyUI service to trusted networks or localhost only, since the vulnerability requires the victim to access a malicious webpage that triggers the attack.
Avoid visiting untrusted or suspicious websites while ComfyUI is running locally, as the attack relies on the victim's browser acting as a proxy.
If possible, disable or restrict the /userdata/ endpoint to prevent uploading and serving of arbitrary HTML files that can execute JavaScript.
Monitor for updates or patches from the vendor, although none were available at the time of reporting.
Consider implementing additional network-level protections such as firewall rules to block external access to the ComfyUI port (default 8188).