CVE-2026-21851

Name of the Vulnerable Software and Affected Versions MONAI versions up to and including 1.5.1

Description MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. A Path Traversal (Zip Slip) issue exists in the download from ngc private() function. This function utilizes zipfile.ZipFile.extractall() without validating file paths. Other similar download functions within the same codebase correctly employ the safe extract member() function for secure extraction. A Path Traversal condition occurs when an application allows a user to access files or directories outside of the intended root directory. In the context of zip files, a 'Zip Slip' happens when a maliciously crafted zip archive contains filenames with special characters (like '..') that, when extracted, can write files to arbitrary locations on the file system. The function zipfile.ZipFile.extractall() is used to extract all files from a zip archive.

Recommendations Versions prior to and including 1.5.1 should be updated to a version that includes commit 4014c8475626f20f158921ae0cf98ed259ae4d59.