CVE Catalog

CVE-2026-13493

LowCVSS 3.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

A flaw has been found in ComfyUI-Copilot up to version 2.0.28 in the Workflow Checkpoint Restore Handler. The issue involves improper control of resource identifiers due to unknown processing in backend/controller/conversation_api.py. The attack can be performed remotely but is difficult due to high complexity.

Risk Assessment

The organization is at risk of remote manipulation of resource identifiers, potentially leading to unauthorized data access or system disruption. The risk is moderate due to high attack complexity, but the exploit is publicly available.

Recommendation

Apply available patches or update ComfyUI-Copilot to a version above 2.0.28 as soon as it is released. Until then, restrict network access and monitor for suspicious requests.

Original NVD description (English source)

A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS