CVE-2026-26202
Published: 19 February 2026
Summary
CVE-2026-26202 is a high-severity Path Traversal (CWE-22) vulnerability in Kaleidos Penpot. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26202 is an arbitrary file read vulnerability in Penpot, an open-source design tool for design and code collaboration. In versions prior to 2.13.2, the `create-font-variant` RPC endpoint allows an authenticated user to supply a local file path, such as `/etc/passwd`, as a font data chunk. This causes the file contents to be stored and retrievable as a "font" asset, enabling unauthorized access to files on the host filesystem that are readable by the Penpot backend process. The issue is classified under CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any authenticated user with team edit permissions can exploit this vulnerability remotely over the network with low complexity. Attackers can read sensitive system files, application secrets, database credentials, and private keys accessible to the Penpot process. In containerized deployments, the impact is confined to the container's filesystem, though environment variables, mounted secrets, and application configurations remain exposed, potentially facilitating further server compromise.
Penpot version 2.13.2 patches the vulnerability. The fix is detailed in the commit at https://github.com/penpot/penpot/commit/06e5825c8a0209889966a4eb5152efd6ff108626, and further information is available in the security advisory at https://github.com/penpot/penpot/security/advisories/GHSA-xp3f-g8rq-9px2. Security practitioners should upgrade to the patched version and review access controls for team edit permissions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7977
Vulnerability details
Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the…
more
`create-font-variant` RPC endpoint, resulting in the file contents being stored and retrievable as a "font" asset. This is an arbitrary file read vulnerability. Any authenticated user with team edit permissions can read arbitrary files accessible to the Penpot backend process on the host filesystem. This can lead to exposure of sensitive system files, application secrets, database credentials, and private keys, potentially enabling further compromise of the server. In containerized deployments, the blast radius may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration are still at risk. Version 2.13.2 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via path traversal directly enables collection of local system data including credential files and private keys.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws like this arbitrary file read vulnerability, directly mitigated by patching to Penpot version 2.13.2.
SI-10 enforces information input validation at RPC endpoints like create-font-variant to block path traversal sequences in font data chunks.
AC-6 least privilege limits the Penpot backend process's filesystem access, reducing the blast radius of arbitrary file reads to only permitted locations.