PYSEC-2026-258

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aim/PYSEC-2026-258.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-258
Aliases
Published
2026-06-29T11:50:34.376380Z
Modified
2026-07-01T20:22:47.672031Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Aim path traversal in LockManager.release_locks
Details

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

References

Affected packages

PyPI / aim

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.15.0
Last affected
3.27.0

Affected versions

3.*
3.15.0
3.15.1
3.15.2
3.16.0
3.16.1
3.16.2
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5rc1
3.17.5rc2
3.17.5rc3
3.17.5rc4
3.17.5
3.18.0.dev2
3.18.0.dev3
3.18.0.dev4
3.18.0.dev5
3.18.0
3.18.1
3.19.0
3.19.1
3.19.2
3.19.3
3.20.1
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.25.1
3.26.0.dev1
3.26.1
3.27.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aim/PYSEC-2026-258.yaml"