CVE-2026-58198
Deferred Deferred - Pending Action

ChatterBot Predictable Path Traversal Vulnerability

Vulnerability report for CVE-2026-58198, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu_data/ubuntu_dialogs) with a check-then-create pattern followed by tar.extractall(path=self.data_path), allowing a local attacker who pre-plants a symlink at the predictable path to cause archive contents to be written through the symlink to an attacker-chosen directory. This issue is fixed in version 1.2.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gunthercox chatterbot 1.2.14

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-58198 allows a local attacker to exploit a symlink vulnerability to write files to arbitrary directories during archive extraction. This unauthorized file access could potentially lead to exposure or manipulation of sensitive data.

Such unauthorized access and potential data manipulation may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Executive Summary

CVE-2026-58198 is a vulnerability in the ChatterBot library, specifically in the UbuntuCorpusTrainer component prior to version 1.2.14. The issue arises because the software uses a predictable output directory path and a check-then-create pattern when extracting tar archives. An attacker with local access can pre-create a symbolic link (symlink) at this predictable path. When the archive is extracted, the contents are written through this symlink to an attacker-chosen directory, potentially overwriting or creating files in unauthorized locations.

This vulnerability is a symlink injection attack that exploits improper handling of archive extraction, allowing an attacker to redirect file writes to arbitrary locations on the system.

Impact Analysis

This vulnerability can allow a local attacker to write files to arbitrary directories on the system by exploiting the predictable output directory and symlink injection during archive extraction. This could lead to unauthorized file creation or modification, potentially compromising system integrity or security.

While the vulnerability does not directly allow remote code execution, it can be used to place malicious files or manipulate existing files, which might be leveraged in further attacks or privilege escalation.

Detection Guidance

This vulnerability involves a symlink injection attack at a predictable output directory (~/ubuntu_data/ubuntu_dialogs) used by ChatterBot's UbuntuCorpusTrainer prior to version 1.2.14. To detect if your system is vulnerable, you can check if this directory exists and whether it is a symbolic link pointing to an unexpected location.

  • Run the command: ls -l ~/ubuntu_data/ubuntu_dialogs to see if the directory is a symlink.
  • Use find to detect any symlinks in the ubuntu_data directory: find ~/ubuntu_data -type l -ls
  • Check for unexpected files or directories created outside the intended extraction path that might indicate exploitation.

Additionally, reviewing logs or monitoring file system changes around the ~/ubuntu_data/ubuntu_dialogs path may help identify suspicious activity related to this vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade ChatterBot to version 1.2.14 or later, where the vulnerability is fixed by preventing symlink injection during tar archive extraction.

  • Update ChatterBot to version 1.2.14 or newer.
  • Ensure that the output directory (~/ubuntu_data/ubuntu_dialogs) is not a symbolic link before running the trainer.
  • Manually remove or replace any symlinks at the predictable output path to prevent exploitation.

If upgrading immediately is not possible, consider restricting local user permissions to prevent creation of symlinks in the output directory and monitor for suspicious file system changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart