PT-2026-54931 · Allegro Ai · Clearml
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-8387
CVSS v3.1
2.4
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
allegroai/clearml versions prior to 2.1.6
Description
Relative path traversal occurs during the extraction of
.zip archives via the ZipFile.extractall() method within the StorageManager. extract to cache() function. This is caused by a lack of path traversal validation, which allows an attacker to write arbitrary files to the filesystem. Potential attack vectors include dataset, artifact, and model downloads, as well as offline session imports. This can lead to remote code execution through techniques such as SSH key overwrite, cron job injection, or web shell deployment.Recommendations
Update to version 2.1.6.
Exploit
Fix
RCE
Relative Path Traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Clearml