{"api_version":"1","generated_at":"2026-04-27T16:04:59+00:00","cve":"CVE-2026-6855","urls":{"html":"https://cve.report/CVE-2026-6855","api":"https://cve.report/api/cve/CVE-2026-6855.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6855","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6855"},"summary":{"title":"Instructlab: instructlab: path traversal allows arbitrary directory creation and file write","description":"A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-04-22 13:16:22","updated_at":"2026-04-22 21:23:52"},"problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Primary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460013","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2460013","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-6855","name":"https://access.redhat.com/security/cve/CVE-2026-6855","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6855","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6855","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-15T00:00:00.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-04-15T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Martin Brodeur (independent security researcher) for reporting this issue.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-6855","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-22T18:34:55.991212Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-22T18:35:05.305Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-aws-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-azure-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-azure-rocm-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-gcp-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-rocm-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Martin Brodeur (independent security researcher) for reporting this issue."}],"datePublic":"2026-04-15T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T12:29:44.838Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-6855"},{"name":"RHBZ#2460013","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460013"}],"timeline":[{"lang":"en","time":"2026-04-15T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-15T00:00:00.000Z","value":"Made public."}],"title":"Instructlab: instructlab: path traversal allows arbitrary directory creation and file write","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-6855","datePublished":"2026-04-22T12:29:44.838Z","dateReserved":"2026-04-22T12:20:39.844Z","dateUpdated":"2026-04-22T18:35:05.305Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 13:16:22","lastModifiedDate":"2026-04-22 21:23:52","problem_types":["CWE-22","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6855","Ordinal":"1","Title":"Instructlab: instructlab: path traversal allows arbitrary direct","CVE":"CVE-2026-6855","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6855","Ordinal":"1","NoteData":"A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.","Type":"Description","Title":"Instructlab: instructlab: path traversal allows arbitrary direct"}]}}}