CVE-2026-40086

Name of the Vulnerable Software and Affected Versions: Rembg versions prior to 2.0.75

Description: A path traversal vulnerability exists in the rembg HTTP server, allowing unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious model path parameter, an attacker can force the server to attempt loading any file as an ONNX model, potentially revealing file existence, permissions, and contents through error messages. The vulnerability stems from a lack of input validation when handling the extras JSON parameter for custom model types, specifically within the im without bg() function and subsequent path handling in download models(). The custom model feature, originally intended for CLI usage with local filesystem access, is exposed via the HTTP API without restrictions. This allows attackers to manipulate the model path to access files outside the intended directory. The vulnerability can lead to information disclosure, credential discovery, infrastructure mapping, and potentially denial of service.

Recommendations: Disable custom models for the HTTP API by filtering out custom models from the HTTP session list. Alternatively, validate the model path against an allowlist of permitted directories. As a last resort, document security considerations and warn users about the risks of exposing the server directly to the internet and the potential need to disable custom model support.