PT-2026-53355 · Pypi · Aim
Published
2026-06-29
·
Updated
2026-06-29
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
A vulnerability in the
LockManager.release locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo. close run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Aim