PT-2026-54931 · Allegro Ai · Clearml

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-8387

CVSS v3.1

2.4

Low

VectorAV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions allegroai/clearml versions prior to 2.1.6
Description Relative path traversal occurs during the extraction of .zip archives via the ZipFile.extractall() method within the StorageManager. extract to cache() function. This is caused by a lack of path traversal validation, which allows an attacker to write arbitrary files to the filesystem. Potential attack vectors include dataset, artifact, and model downloads, as well as offline session imports. This can lead to remote code execution through techniques such as SSH key overwrite, cron job injection, or web shell deployment.
Recommendations Update to version 2.1.6.

Exploit

Fix

RCE

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8387

Affected Products

Clearml