{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26002", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:41:55.859Z", "datePublished": "2026-03-04T22:05:28.776Z", "dateUpdated": "2026-03-05T15:42:15.933Z"}, "containers": {"cna": {"title": "OnDemand susceptible to malicious input when navigating to a directory.", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2"}, {"name": "https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c", "tags": ["x_refsource_MISC"], "url": "https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c"}, {"name": "https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16", "tags": ["x_refsource_MISC"], "url": "https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16"}], "affected": [{"vendor": "OSC", "product": "ondemand", "versions": [{"version": "< 4.0.9", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T22:05:28.776Z"}, "descriptions": [{"lang": "en", "value": "Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible."}], "source": {"advisory": "GHSA-f83q-mhrr-3cr2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:32:44.725767Z", "id": "CVE-2026-26002", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:42:15.933Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26002", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T15:32:44.725767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:32:45.785Z"}}], "cna": {"title": "OnDemand susceptible to malicious input when navigating to a directory.", "source": {"advisory": "GHSA-f83q-mhrr-3cr2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OSC", "product": "ondemand", "versions": [{"status": "affected", "version": "< 4.0.9"}, {"status": "affected", "version": ">= 4.1.0, < 4.1.3"}]}], "references": [{"url": "https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2", "name": "https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c", "name": "https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16", "name": "https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T22:05:28.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26002", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:42:15.933Z", "dateReserved": "2026-02-09T17:41:55.859Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T22:05:28.776Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osc:open_ondemand:*:*:*:*:*:*:*:*", "matchCriteriaId": "00311901-D04A-4489-AFBC-15086935D52F", "versionEndExcluding": "3.1.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:osc:open_ondemand:*:*:*:*:*:*:*:*", "matchCriteriaId": "53C4FAFA-8ECA-46BB-A237-FA667B0EF8CD", "versionEndExcluding": "4.0.9", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:osc:open_ondemand:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E9C6CE0-DE0A-4A34-988A-194B7818617F", "versionEndExcluding": "4.1.3", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible."}, {"lang": "es", "value": "Open OnDemand es un portal de computaci\u00f3n de alto rendimiento de c\u00f3digo abierto. La aplicaci\u00f3n Archivos en las versiones de OnDemand anteriores a la 4.0.9 y 4.1.3 es susceptible a entrada maliciosa al navegar a un directorio. Esto ha sido parcheado en las versiones 4.0.9 y 4.1.3. Las versiones anteriores a esta permanecen susceptibles."}], "id": "CVE-2026-26002", "lastModified": "2026-03-18T16:09:26.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T23:16:09.980", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,4.1.3)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "ondemand", "source": "cna", "vendor": "OSC"}, "product": "open_ondemand", "vendor": "osc"}], "analysis": {"en": {"generated_at": "2026-04-16T13:05:18.408015+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Open OnDemand to version 4.0.9 or 4.1.3, depending on your release line.", "If an immediate update is not possible, restrict access to the Files application to authenticated, trusted users only and monitor directory traversal patterns for anomalous activity.", "Implement server\u2011side validation or sanitization of directory names in the application logic to ensure that input paths are properly neutralized before use."], "summary": {"action": "Immediate Upgrade", "impact": "Improper input validation potentially enabling unauthorized directory access within Open OnDemand Files application"}, "threat_synthesis": {"affected_systems": "OSC: Open OnDemand is affected. Versions prior to 4.0.9 for the 4.x series and prior to 4.1.3 for the 4.1.x series remain vulnerable. Upgrading to 4.0.9 or 4.1.3 applies the fix; any lower version should be considered susceptible.", "description_and_impact": "The Files application in Open OnDemand is vulnerable to an input validation flaw when navigating to a directory. According to the advisory, malicious directory names are not neutralized properly, leaving the application susceptible to processing of untrusted input. This weakness, classified as CWE\u201174, could enable an attacker to influence the file system handling logic, potentially exposing sensitive resources or causing unintended behavior.", "risk_and_exploitability": "The CVSS score of 6.3 signals a moderate severity. The EPSS score of less than 1\u202f% indicates that, at the time of analysis, the likelihood of exploitation is very low, and the vulnerability is currently not listed in the CISA KEV catalog. The flaw can be triggered via the web interface when a user submits a path in the Files application, but no specific authentication requirements are disclosed. In the absence of known exploits, the immediate risk remains moderate; however, organizations should prioritize remediation to eliminate the potential attack surface."}}}}, "created": "2026-03-05T09:05:38.121075+00:00", "updated": "2026-04-16T13:15:06.222139+00:00", "vendors": ["osc", "osc$PRODUCT$open_ondemand"]}