CVE-2026-59094
Received Received - Intake

Path Traversal in Pathway Document Store

Vulnerability report for CVE-2026-59094, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59094 is a high-severity vulnerability in Pathway versions 0.31.1 and earlier. It involves an unauthenticated Denial of Service (DoS) attack caused by exponential glob pattern matching in the document store. The document store uses a recursive matcher for glob patterns containing the ** token, which branches two ways without memoization, leading to exponential worst-case time complexity. An attacker can send a short HTTP request with many ** tokens to unauthenticated endpoints (/v1/retrieve, /v1/inputs, /v2/answer), causing the system to consume CPU resources for tens of seconds per request. A small number of such requests can deny service to the system.

The root cause is the recursive implementation of the glob pattern matcher that does not cache intermediate results, causing an exponential number of recursive calls when processing patterns with multiple ** tokens. This leads to excessive CPU consumption and a Denial of Service condition.

Impact Analysis

This vulnerability can be exploited by a remote unauthenticated attacker to cause a Denial of Service (DoS) on the Pathway document store and related REST endpoints. By sending specially crafted requests with glob patterns containing many ** tokens, the attacker can cause the system to consume excessive CPU resources for tens of seconds per request.

The impact includes CPU exhaustion, which can degrade system performance or make the service unavailable to legitimate users. Even a small number of such malicious requests can effectively deny service, disrupting normal operations.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on the system when handling requests to the unauthenticated REST endpoints /v1/retrieve, /v1/inputs, and /v2/answer. Specifically, look for requests containing the filepath_globpattern parameter with many '**' tokens, which cause exponential CPU consumption.

Testing can be performed by sending crafted HTTP requests with glob patterns containing multiple '**' tokens to these endpoints and observing CPU usage or response delays.

Example command using curl to test the vulnerability by sending a malicious pattern:

  • curl -X POST http://<target-host>/v1/retrieve -d '{"filepath_globpattern": "**/a/**/a/**/a/**/a/**/b"}' -H 'Content-Type: application/json'

Monitoring tools or scripts can be used to detect high CPU usage spikes correlated with such requests.

Mitigation Strategies

Immediate mitigation steps include restricting or limiting the usage of the filepath_globpattern parameter in requests to the affected endpoints (/v1/retrieve, /v1/inputs, /v2/answer).

  • Implement input validation to cap the number of '**' tokens and the total length of the filepath_globpattern parameter at the request boundary.
  • Consider adding authentication to these REST endpoints to prevent unauthenticated access.
  • Apply the official fix by updating Pathway to a version including the commit d09722e, which introduces memoization in the glob matching function to prevent exponential complexity.

Until the patch is applied, monitoring and rate limiting requests to these endpoints can help reduce the risk of denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart