CVE-2026-22777
Published: 10 January 2026
Summary
CVE-2026-22777 is a high-severity CRLF Injection (CWE-93) vulnerability in Comfy Comfyui-Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-22777 is a vulnerability in ComfyUI-Manager, an extension designed to enhance the usability of ComfyUI, affecting versions prior to 3.39.2 and 4.0.5. It enables an attacker to inject special characters into HTTP query parameters, allowing the addition of arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. The issue, published on 2026-01-10, is associated with CWE-93 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), emphasizing high integrity impact.
The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows modification of the config.ini file, enabling tampering with security settings or altering application behavior to the attacker's advantage, without impacting confidentiality or availability.
Mitigation is available through patching: upgrade to ComfyUI-Manager versions 3.39.2 or 4.0.5. Detailed advisory information and the patching commit are provided in the GitHub security advisory (https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2) and commit (https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1864
Vulnerability details
ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to…
more
security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: comfyui
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote HTTP parameter injection into public-facing ComfyUI-Manager directly enables T1190 exploitation; resulting arbitrary config.ini modification tampers with security settings, mapping to T1562.001.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks injection of special characters via HTTP query parameters before they can write arbitrary values into config.ini.
Enforces access-control decisions on configuration-modifying requests so unauthenticated attackers cannot tamper with security settings.
Restricts which principals or paths are allowed to alter configuration files, limiting the impact of any successful injection into config.ini.