CVE-2026-56138

Authenticated Path Traversal in AIL framework /objects/item/diff Allows Reading Gzip-Compressed Files

Assigner: CIRCL
Reserved: 19.06.2026 Published: 19.06.2026 Updated: 19.06.2026

AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects.

An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format.

The issue was fixed by validating that both requested items exist before their contents are accessed.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	ail-project
Product	ail-framework
Versions	Default: unaffected affected from 0 to 6.8.0 (excl.)

Vendor

ail-project

Product

ail-framework

Versions

Default: unaffected

affected from 0 to 6.8.0 (excl.)

Credits

Aurelien Thirion remediation developer
Stephen O @SakusenSec finder

References

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

Impacts

CAPEC-126 Path Traversal