CVE-2026-32999
Insufficient Input Validation in Comet Backup Server Allows Code Execution
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comet_backup | comet_backup | to 26.4.3 (exc) |
| comet_backup | comet_backup | to 26.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32999 is a critical Remote Code Execution (RCE) vulnerability in Comet Backup software versions prior to 26.4.3 and 26.5.0.
The vulnerability arises from insufficient character filtering in the backup agent signing module, specifically allowing a tenant administrator with branding permissions to upload malicious .dll or .so files as part of the branding configuration.
This enables the attacker to execute arbitrary code on the Comet Backup server and connected devices, running with elevated privileges and bypassing tenancy boundaries.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain full access to the server's configuration files and backed-up user data from remote devices where the backup tool is installed.
They can also stop, replace, or remove the Comet Server installation and execute code with privileged user permissions on connected devices.
This could lead to severe data breaches, loss of data integrity, and potential disruption of backup services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated tenant administrator uploading malicious .dll or .so files as part of the branding configuration to execute arbitrary code. Detection would involve monitoring for unusual or unauthorized changes to the branding configuration files or uploads of suspicious dynamic library files (.dll or .so).
Commands to detect this might include checking for recent changes or uploads in the branding configuration directory on the Comet Backup server, for example using file system monitoring tools or commands like 'ls -lt' to list recent files, or 'find' to locate recently modified .dll or .so files.
Additionally, monitoring server logs for unusual activity by tenant administrators or unexpected execution of backup-tool clients with elevated privileges could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Comet Backup software to version 26.4.3, 26.5.0, or higher, as these versions contain patches that fix the vulnerability.
For self-hosted Comet Backup users, applying this update is critical to prevent exploitation. Comet Hosted servers have already been patched, so no action is required for hosted administrators.