Path Traversal Vulnerability in InstructLab Affects Red Hat
CVE-2026-6855

7.1HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux Ai (rhel Ai) 3
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-6855?

A vulnerability exists in InstructLab that can be exploited by local attackers to perform path traversal via the logs_dir parameter in the chat session handler. This exploitation enables the creation of new directories and writing of files to arbitrary locations on the system, resulting in potential unauthorized data modification or disclosure. Proper validation and sanitization of input parameters are recommended to mitigate this risk.

References

https://access.redhat.com/security/cve/CVE-2026-6855

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2460013

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Red Hat would like to thank Martin Brodeur (independent security researcher) for reporting this issue.

CVE-2026-6855 Data

JSON