CVE-2026-56138
Received Received - Intake
Path Traversal in AIL Framework via Item Diff Endpoint

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects. An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format. The issue was fixed by validating that both requested items exist before their contents are accessed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-56138
EUVD
EUVD-2026-37998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ail-project ail_framework to 074f9a432702d39d7f8db07ece3a11502cf36d73 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in the AIL Framework's /objects/item/diff endpoint. Authenticated users could manipulate the s1 and s2 query parameters with malicious item identifiers containing path traversal sequences. This allowed the application to read gzip-compressed files accessible to the AIL process without verifying that the referenced items actually existed as valid AIL objects.

The vulnerability arises because the endpoint attempted to retrieve and compare item contents without first confirming the existence of both items, enabling unauthorized disclosure of local file contents compatible with the expected gzip format.

The issue was fixed by adding validation checks to ensure both requested items exist before accessing their contents, preventing unauthorized file access.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of local files that the AIL process can read, limited to gzip-compressed files compatible with the expected item format.

An authenticated user exploiting this flaw could access sensitive information stored in these files, potentially exposing confidential data or internal application details.

Mitigation Strategies

To mitigate this vulnerability, ensure that the AIL Framework is updated to include the security fix that validates the existence of items referenced by the s1 and s2 parameters in the /objects/item/diff endpoint.

This fix prevents path traversal attacks by returning a 404 error if the requested items do not exist, thereby blocking unauthorized access to arbitrary gzip-compressed files.

Applying the patch committed by Terrtia, which adds these validation checks in the objects_item.py file, is the immediate recommended step.

Compliance Impact

This vulnerability allows an authenticated user to perform path traversal attacks to read arbitrary gzip-compressed files accessible to the AIL process. Such unauthorized disclosure of local file contents could lead to exposure of sensitive or personal data.

Exposure of sensitive data due to this vulnerability could result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls to prevent unauthorized access and disclosure of personal or protected health information.

By allowing unauthorized file access, the vulnerability undermines confidentiality requirements mandated by these standards, potentially leading to regulatory penalties or legal consequences.

Detection Guidance

This vulnerability can be detected by monitoring and testing the /objects/item/diff endpoint for path traversal attempts using the s1 and s2 query parameters.

Since the vulnerability involves an authenticated user manipulating these parameters to access arbitrary gzip-compressed files, detection involves sending crafted requests with path traversal sequences and observing the responses.

  • Use curl or similar HTTP clients to send requests with path traversal payloads in s1 and s2 parameters, for example:
  • curl -i -u <user>:<password> 'http://<ail-server>/objects/item/diff?s1=../../../../etc/passwd.gz&s2=valid_item'
  • curl -i -u <user>:<password> 'http://<ail-server>/objects/item/diff?s1=valid_item&s2=../../../../etc/passwd.gz'

If the server returns the contents of the gzip-compressed file or does not return a 404 error for non-existent items, the vulnerability may be present.

Additionally, reviewing server logs for unusual access patterns to the /objects/item/diff endpoint with suspicious s1 or s2 parameter values can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart