PYSEC-2026-358
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/invokeai/PYSEC-2026-358.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-358
- Aliases
- Published
- 2026-06-29T11:50:35.500212Z
- Modified
- 2026-06-29T12:15:22.689085450Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- InvokeAI Arbitrary File Deletion vulnerability
- Details
-
In invoke-ai/invokeai version v5.0.2, the web API
POST /api/v1/images/deleteis vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-11042
- https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a
- https://github.com/invoke-ai/InvokeAI
- https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951263987
- https://pypi.org/project/invokeai
- https://github.com/advisories/GHSA-227r-w5j2-6243
Affected packages
PyPI / invokeai
Package
- Name
- invokeai
- View open source insights on deps.dev
- Purl
- pkg:pypi/invokeai
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.3.0rc1
Affected versions
2.*
2.2.4.5
2.2.4.6
2.2.4.7
2.2.5
2.3.0a0
2.3.0a1
2.3.0a2
2.3.0a3
2.3.0rc3
2.3.0rc4
2.3.0rc5
2.3.0rc6
2.3.0rc7
2.3.0
2.3.1rc4
2.3.1
2.3.1.post1
2.3.1.post2
2.3.2
2.3.2.post1
2.3.3rc1
2.3.3
2.3.4a0
2.3.4rc1
2.3.4
2.3.4.post1
2.3.5rc1
2.3.5
2.3.5.post1
2.3.5.post2
3.*
3.0.0
3.0.1rc1
3.0.1rc2
3.0.1
3.0.1.post1
3.0.1.post2
3.0.1.post3
3.0.2a1
3.0.2rc1
3.0.2
3.0.2.post1
3.1.0
3.1.1rc1
3.1.1
3.2.0
3.3.0
3.3.0.post1
3.3.0.post2
3.3.0.post3
3.4.0rc2
3.4.0rc3
3.4.0rc4
3.4.0
3.4.0.post1
3.4.0.post2
3.5.0rc1
3.5.0rc2
3.5.0rc3
3.5.0
3.5.1
3.6.0rc1
3.6.0rc2
3.6.0rc3
3.6.0rc4
3.6.0rc5
3.6.0rc6
3.6.0
3.6.1
3.6.2
3.6.3rc1
3.6.3
3.7.0
4.*
4.0.0rc1
4.0.0rc2
4.0.0rc4
4.0.0rc5
4.0.0rc6
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0
4.2.0a1
4.2.0a2
4.2.0a3
4.2.0a4
4.2.0b1
4.2.0b2
4.2.0
4.2.1
4.2.2
4.2.2.post1
4.2.3
4.2.4
4.2.5
4.2.6a1
4.2.6rc1
4.2.6
4.2.6.post1
4.2.7rc1
4.2.7
4.2.7.post1
4.2.8rc1
4.2.8rc2
4.2.8
4.2.9.dev3
4.2.9.dev4
4.2.9.dev5
4.2.9.dev6
4.2.9.dev7
4.2.9.dev8
4.2.9.dev9
4.2.9.dev10
4.2.9.dev11
4.2.9.dev12
4.2.9.dev20240823
4.2.9.dev20240824
4.2.9rc1
4.2.9rc2
4.2.9
5.*
5.0.0.dev13
5.0.0a1
5.0.0a2
5.0.0a3
5.0.0a4
5.0.0a5
5.0.0a6
5.0.0a7
5.0.0a8
5.0.0rc1
5.0.0rc2
5.0.0
5.0.1
5.0.2
5.1.0rc1
5.1.0rc2
5.1.0rc3
5.1.0rc4
5.1.0rc5
5.1.0
5.1.1
5.2.0rc1
5.2.0rc2
5.2.0