Description
A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
E
Physical
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
E
Physical
RL
X
RC
Required
Affected products
References
- MISChttps://vuldb.com/vuln/374489
- MISChttps://vuldb.com/vuln/374489/cti
- MISChttps://vuldb.com/cve/CVE-2026-13493
- MISChttps://vuldb.com/submit/838497
- MISChttps://github.com/AIDC-AI/ComfyUI-Copilot/issues/149
- PATCHhttps://github.com/AIDC-AI/ComfyUI-Copilot/pull/150
- MISChttps://github.com/AIDC-AI/ComfyUI-Copilot/