CVE-2026-13493 PUBLISHED

AIDC-AI ComfyUI-Copilot Workflow Checkpoint Restore conversation_api.py resource injection

Assigner: VulDB
Reserved: 27.06.2026 Published: 28.06.2026 Updated: 28.06.2026

A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.0

CVSS Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
CVSS Score: 2.1

Access Vector	Network	Confidentiality Impact	Partial
Access Complexity	High	Integrity Impact	None
Authentication	Single	Availability Impact	None

CVSS 2.0

Product Status

Vendor	AIDC-AI
Product	ComfyUI-Copilot
Versions	Version 2.0.0 is affected Version 2.0.1 is affected Version 2.0.2 is affected Version 2.0.3 is affected Version 2.0.4 is affected Version 2.0.5 is affected Version 2.0.6 is affected Version 2.0.7 is affected Version 2.0.8 is affected Version 2.0.9 is affected Version 2.0.10 is affected Version 2.0.11 is affected Version 2.0.12 is affected Version 2.0.13 is affected Version 2.0.14 is affected Version 2.0.15 is affected Version 2.0.16 is affected Version 2.0.17 is affected Version 2.0.18 is affected Version 2.0.19 is affected Version 2.0.20 is affected Version 2.0.21 is affected Version 2.0.22 is affected Version 2.0.23 is affected Version 2.0.24 is affected Version 2.0.25 is affected Version 2.0.26 is affected Version 2.0.27 is affected Version 2.0.28 is affected

CVE-2026-13493 PUBLISHED

AIDC-AI ComfyUI-Copilot Workflow Checkpoint Restore conversation_api.py resource injection

Metrics

Product Status

Credits

References

Problem Types