CVE-2026-59094
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
Pathway through version 0.31.1 (fixed in commit d09722e) allows a remote unauthenticated attacker to cause a denial of service by sending a short glob pattern with many ** tokens to the /v1/retrieve, /v1/inputs, or /v2/answer HTTP endpoints. The recursive, non-memoized pattern matcher has exponential worst-case complexity, and with no length or **-count limit, a few requests can consume CPU for tens of seconds each.
Risk Assessment
The organization faces a denial-of-service risk – a few unauthenticated requests can completely block the Pathway service, preventing access to indexed documents and query processing.
Recommendation
Immediately update Pathway to a version containing commit d09722e or later. If an update is not possible, restrict access to the /v1/retrieve, /v1/inputs, and /v2/answer endpoints to trusted networks or apply WAF rules blocking patterns with many ** tokens.
Original NVD description (English source)
Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.

