Path Traversal Vulnerability in AIL Framework by AIL Project
CVE-2026-56138

5.3MEDIUM

Key Information:

Vendor: Ail-project
Status: Ail-framework
Vendor: CVE Published:; 19 June 2026

🔔 Create Ail-project Vulnerability Alert

What is CVE-2026-56138?

The AIL Framework is susceptible to a path traversal vulnerability within its /objects/item/diff API endpoint. This flaw allows authenticated users to manipulate item identifiers via the s1 and s2 query parameters. Previously, the framework did not ensure that the referenced items were valid AIL objects before attempting to retrieve and compare their contents. Attackers could exploit this vulnerability by injecting malicious identifiers containing path traversal sequences, enabling them to access gzip-compressed files within the server's local file system. Although the vulnerability is now mitigated by validating item existence prior to content access, it serves as a reminder of the importance of stringent input validation to prevent unauthorized data exposure.

Affected Version(s)

ail-framework 0 < 6.8.0

References

https://github.com/ail-project/ail-framework/commit/074f9...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

Aurelien Thirion

Stephen O @SakusenSec

CVE-2026-56138 Data

JSON