CVE-2026-32097
HIGHPingPong < 7.27.2 - Authenticated Authorization Bypass via File Retrieval and Deletion
Title source: llmDescription
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/comppolicylab/pingpong/security/advisories/GHSA-4wwr-5wq7-mgm4
Scores
CVSS v3
8.8
EPSS
0.0029
EPSS Percentile
20.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (1)
harvard/pingpong
< 7.27.2
Published
Mar 11, 2026
Tracked Since
Mar 12, 2026