CVE-2026-13493 - Vulnerability Details

A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AIDC-AI

ComfyUI-Copilot

affected

Version	Status	Constraints
`2.0.0`	affected	—
`2.0.1`	affected	—
`2.0.2`	affected	—
`2.0.3`	affected	—
`2.0.4`	affected	—
`2.0.5`	affected	—
`2.0.6`	affected	—
`2.0.7`	affected	—
`2.0.8`	affected	—
`2.0.9`	affected	—
`2.0.10`	affected	—
`2.0.11`	affected	—
`2.0.12`	affected	—
`2.0.13`	affected	—
`2.0.14`	affected	—
`2.0.15`	affected	—
`2.0.16`	affected	—
`2.0.17`	affected	—
`2.0.18`	affected	—
`2.0.19`	affected	—
`2.0.20`	affected	—
`2.0.21`	affected	—
`2.0.22`	affected	—
`2.0.23`	affected	—
`2.0.24`	affected	—
`2.0.25`	affected	—
`2.0.26`	affected	—
`2.0.27`	affected	—
`2.0.28`	affected	—

No data.

Project Subscriptions

Vendors	Products
Aidc-ai Subscribe	Comfyui-copilot Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/AIDC-AI/ComfyUI-Copilot/
https://github.com/AIDC-AI/ComfyUI-Copilot/issues/149
https://github.com/AIDC-AI/ComfyUI-Copilot/pull/150
https://vuldb.com/cve/CVE-2026-13493
https://vuldb.com/submit/838497
https://vuldb.com/vuln/374489
https://vuldb.com/vuln/374489/cti

History

Sun, 28 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. This issue affects some unknown processing of the file backend/controller/conversation_api.py of the component Workflow Checkpoint Restore Handler. Executing a manipulation can lead to improper control of resource identifiers. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Title		AIDC-AI ComfyUI-Copilot Workflow Checkpoint Restore conversation_api.py resource injection
First Time appeared		Aidc-ai Aidc-ai comfyui-copilot
Weaknesses		CWE-99
CPEs		cpe:2.3:a:aidc-ai:comfyui-copilot::::::::
Vendors & Products		Aidc-ai Aidc-ai comfyui-copilot
References		https://github.com/AIDC-AI/ComfyUI-Copilot/ https://github.com/AIDC-AI/ComfyUI-Copilot/issues/149 https://github.com/AIDC-AI/ComfyUI-Copilot/pull/150 https://vuldb.com/cve/CVE-2026-13493 https://vuldb.com/submit/838497 https://vuldb.com/vuln/374489 https://vuldb.com/vuln/374489/cti
Metrics		cvssV2_0 `{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-28T12:00:09.952Z

Updated: 2026-06-28T12:00:09.952Z

Reserved: 2026-06-27T17:03:08.476Z

Link: CVE-2026-13493

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-99

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object