CVE-2026-26202

Name of the Vulnerable Software and Affected Versions Penpot versions prior to 2.13.2

Description Penpot is an open-source design and code collaboration tool. An authenticated user with team edit permissions can read arbitrary files from the server. This is achieved by providing a local file path, such as /etc/passwd, as a font data chunk in the create-font-variant RPC endpoint. The file contents are then stored and retrievable as a "font" asset. This can expose sensitive system files, application secrets, database credentials, and private keys, potentially leading to further compromise of the server. In containerized deployments, the risk extends to environment variables, mounted secrets, and application configuration. The vulnerable API endpoint is /create-font-variant and the vulnerable variable is the font data chunk.

Recommendations Update to version 2.13.2 or later.