CVE-2026-0847
Published: 04 March 2026
Summary
CVE-2026-0847 is a high-severity Path Traversal (CWE-22) vulnerability in Nltk Nltk. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP Libraries; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0847 is a path traversal vulnerability (CWE-22) in NLTK versions up to and including 3.9.2. It affects multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader, which fail to properly sanitize or validate file paths. This enables attackers to traverse directories and access arbitrary files on the server where NLTK is deployed.
Remote unauthenticated attackers can exploit this vulnerability with low complexity, as indicated by its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation requires scenarios where user-controlled inputs are processed as file paths, such as in machine learning APIs, chatbots, or NLP pipelines. Successful attacks allow unauthorized reads of sensitive files, including system files, SSH private keys, and API tokens, and may escalate to remote code execution when combined with other vulnerabilities.
Mitigation details are available in the Huntr advisory at https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966.
This vulnerability is particularly critical for AI/ML and NLP applications relying on NLTK for corpus processing.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9475
Vulnerability details
A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse…
more
directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP Libraries
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: machine learning, nltk
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing NLTK deployment enables remote exploitation (T1190) and direct unauthorized file reads including credentials (T1005, T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation at file path interfaces, directly preventing path traversal attacks by sanitizing user-controlled inputs in NLTK CorpusReader classes.
SI-2 requires timely flaw remediation, such as patching NLTK to versions beyond 3.9.2 to eliminate the path traversal vulnerability.
AC-6 enforces least privilege, limiting the damage from successful path traversal by restricting the application's access to sensitive files.