CVE-2026-8387

Source
https://cve.org/CVERecord?id=CVE-2026-8387
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8387.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8387
Published
2026-07-01T12:26:55.616Z
Modified
2026-07-15T01:49:00.122666815Z
Severity
  • 2.4 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Relative Path Traversal in allegroai/clearml
Details

A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting .zip archives using the ZipFile.extractall() method in StorageManager._extract_to_cache(). This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8387.json",
    "cwe_ids": [
        "CWE-23"
    ],
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/clearml/clearml

Affected ranges

Type
GIT
Repo
https://github.com/clearml/clearml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.6"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.1rc0
0.15.2rc0
0.16.0
0.16.1
0.16.2
0.16.2rc0
0.16.3
0.16.4
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.5rc3
0.17.5rc5
0.17.5rc6
0.9.0
0.9.1
0.9.2
0.9.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.4rc0
1.0.4rc1
1.0.5
1.0.6rc1
1.0.6rc2
1.1.0
1.1.1
1.1.2rc0
1.1.3rc0
1.1.5rc1
1.1.5rc2
Other
untagged-38cec581542f7f989ef9
v0.*
v0.17.5rc2
v0.17.5rc4
v1.*
v1.1.3
v1.1.4
v1.1.4rc0
v1.1.5
v1.1.5rc0
v1.1.5rc3
v1.1.5rc4
v1.1.5rc5
v1.1.5rc6
v1.1.5rc7
v1.1.6
v1.1.6rc0
v1.10.0
v1.10.0_fix
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.1
v1.11.1rc0
v1.11.1rc1
v1.11.1rc2
v1.11.2rc0
v1.12.0
v1.12.1
v1.12.2
v1.12.2rc0
v1.13.0
v1.13.1
v1.13.2
v1.13.3rc0
v1.13.3rc1
v1.14.0
v1.14.0rc0
v1.14.1
v1.14.2
v1.14.2rc0
v1.14.3
v1.14.3rc0
v1.14.4
v1.14.4rc0
v1.14.4rc1
v1.14.5rc0
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.2rc0
v1.16.3
v1.16.3rc0
v1.16.4
v1.16.5
v1.17.0
v1.17.1
v1.18.0
v1.2.0
v1.2.0rc0
v1.2.0rc1
v1.2.0rc2
v1.2.1
v1.2.1rc0
v1.3.0
v1.3.1
v1.3.1rc0
v1.3.2
v1.3.2rc0
v1.3.2rc2
v1.3.2rc3
v1.3.3rc0
v1.3.3rc1
v1.4.0
v1.4.1rc0
v1.4.2rc0
v1.4.2rc1
v1.5.0
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.3rc0
v1.6.3rc1
v1.6.3rc2
v1.6.4
v1.6.5rc0
v1.6.5rc1
v1.7.0
v1.7.0rc0
v1.7.0rc1
v1.7.1
v1.7.1rc0
v1.7.1rc1
v1.7.1rc2
v1.7.2
v1.7.2rc0
v1.7.2rc1
v1.7.2rc2
v1.7.3rc0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4rc0
v1.8.4rc1
v1.8.4rc2
v1.9.0
v1.9.1
v1.9.2
v1.9.2rc0
v1.9.2rc1
v1.9.3
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8387.json"