CVE-2026-13493
LowCVSS 3.1Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A flaw has been found in ComfyUI-Copilot up to version 2.0.28 in the Workflow Checkpoint Restore Handler. The issue involves improper control of resource identifiers due to unknown processing in backend/controller/conversation_api.py. The attack can be performed remotely but is difficult due to high complexity.
Risk Assessment
The organization is at risk of remote manipulation of resource identifiers, potentially leading to unauthorized data access or system disruption. The risk is moderate due to high attack complexity, but the exploit is publicly available.
Recommendation
Apply available patches or update ComfyUI-Copilot to a version above 2.0.28 as soon as it is released. Until then, restrict network access and monitor for suspicious requests.
Original NVD description (English source)
A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

