CVE-2026-6855 HIGH

CVE-2026-6855: Instructlab: instructlab: path traversal allows arbitrary directory creation and file write

Vendor Red Hat
Product Red Hat Enterprise Linux AI (RHEL AI) 3
Weakness CWE-22 · Path traversal
Published April 22, 2026
Last update April 24, 2026

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 24, 2026 Record updated