CVE-2026-6589

MEDIUM

ComfyUI server.py create_origin_only_middleware cross-site request forgery

Title source: cna

Description

A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-358224 | ComfyUI server.py create_origin_only_middleware cross-site request forgery

https://vuldb.com/vuln/358224

Signature, Permissions Required signature permissions-required

VDB-358224 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/358224/cti

Third Party Advisory third-party-advisory

Submit #791108 | comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)

https://vuldb.com/submit/791108

Exploit exploit

https://gist.github.com/YLChen-007/d314f8120e47601dfa3ac8b899f12d1f

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 5.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352 CWE-862

Status published

Products (13)

None/ComfyUI 0.1

None/ComfyUI 0.10

None/ComfyUI 0.11

None/ComfyUI 0.12

None/ComfyUI 0.13.0

None/ComfyUI 0.2

None/ComfyUI 0.3

None/ComfyUI 0.4

None/ComfyUI 0.5

None/ComfyUI 0.6

... and 3 more

Published Apr 20, 2026

Tracked Since Apr 20, 2026