CVE-2026-13503
Received Received - Intake

Path Traversal in ANTLR4 Token Vocab Parser

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-13503
EUVD
EUVD-2026-40001

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
antlr antlr4 to 4.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13503 is a path traversal vulnerability in ANTLR4 version 4.13.2, specifically in the function getImportedVocabFile of the tokenVocab Grammar Option Handler. The vulnerability occurs because the tool constructs file paths by directly concatenating directory and filename inputs without validating for malicious path traversal sequences like ".." or absolute paths.

An attacker can exploit this by submitting a malicious grammar file with a tokenVocab option set to a sensitive filename while specifying a library directory that includes the target file's location. When ANTLR4 processes the grammar, it reads the specified .tokens file and exposes its contents in error messages, leading to information disclosure.

Impact Analysis

This vulnerability impacts confidentiality by allowing an attacker to read arbitrary files on the system remotely without any privileges or user interaction.

The attacker can gain access to sensitive information contained in files that should not be exposed, which can lead to information disclosure.

The vulnerability does not affect the integrity or availability of the system.

Detection Guidance

This vulnerability can be detected by checking if ANTLR4 is processing grammar files with the tokenVocab option that may include path traversal sequences such as ".." or absolute paths. Monitoring for error messages that expose contents of unexpected .tokens files can also indicate exploitation attempts.

You can search for suspicious grammar files or commands invoking ANTLR4 with the -lib option pointing to directories outside the expected scope. For example, on a Unix-like system, you might use commands like:

  • grep -r 'tokenVocab' /path/to/grammar/files
  • grep -r '\.tokens' /path/to/grammar/files
  • audit or monitor ANTLR4 command executions for usage of the -lib option with unexpected directory paths.
Mitigation Strategies

Immediate mitigation involves validating the vocabName parameter against a strict identifier pattern to prevent path traversal sequences and ensuring that the constructed file path remains within the intended library directory.

Additionally, restrict or monitor the usage of the -lib option in ANTLR4 to prevent attackers from specifying arbitrary directories that could lead to reading sensitive files.

If possible, update or patch ANTLR4 to a version that includes this validation or apply custom fixes to the getImportedVocabFile function to sanitize input paths.

Compliance Impact

The vulnerability in ANTLR4 allows arbitrary file read through path traversal, leading to information disclosure. This exposure of sensitive file contents can impact confidentiality requirements mandated by standards such as GDPR and HIPAA.

Since the vulnerability compromises confidentiality by exposing potentially sensitive data without authorization, it may result in non-compliance with regulations that require protection of personal or sensitive information.

However, the vulnerability does not affect integrity or availability, focusing the compliance impact primarily on confidentiality controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart