CVE-2026-0615
Published: 16 January 2026
Summary
CVE-2026-0615 is a high-severity an unspecified weakness vulnerability in Thelibrarian The Librarian. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Process Discovery (T1057); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-0615 is a vulnerability in TheLibrarian backend where the supervisord status page can be retrieved via the web_fetch tool, exposing information about running processes. This affects TheLibrarian software, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The issue is categorized under NVD-CWE-noinfo.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation allows retrieval of running processes within the backend, resulting in low impacts to confidentiality, integrity, and availability.
The vendor has fixed the vulnerability in all affected versions. Additional details are available in the vendor advisory at https://thelibrarian.io/ and a related analysis at http://mindgard.ai/blog/thelibrarian-ios-ai-security-.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2939
Vulnerability details
The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes running process information from supervisord status page via unauthenticated web_fetch access, enabling remote Process Discovery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control policy so the web_fetch tool cannot retrieve the supervisord status page or any other internal backend resource without explicit authorization.
Restricts the web_fetch tool to only the minimum privileges required, preventing it from reaching sensitive process-status endpoints.
Applies boundary-protection mechanisms that block external or untrusted tool access to internal management interfaces such as supervisord.