PT-2026-53355 · Pypi · Aim

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
A vulnerability in the LockManager.release locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo. close run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-258

Affected Products

Aim