CVE Catalog

CVE-2026-59094

HighCVSS 7.5
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

Pathway through version 0.31.1 (fixed in commit d09722e) allows a remote unauthenticated attacker to cause a denial of service by sending a short glob pattern with many ** tokens to the /v1/retrieve, /v1/inputs, or /v2/answer HTTP endpoints. The recursive, non-memoized pattern matcher has exponential worst-case complexity, and with no length or **-count limit, a few requests can consume CPU for tens of seconds each.

Risk Assessment

The organization faces a denial-of-service risk – a few unauthenticated requests can completely block the Pathway service, preventing access to indexed documents and query processing.

Recommendation

Immediately update Pathway to a version containing commit d09722e or later. If an update is not possible, restrict access to the /v1/retrieve, /v1/inputs, and /v2/answer endpoints to trusted networks or apply WAF rules blocking patterns with many ** tokens.

Original NVD description (English source)

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS