Cyber Resilience

CVE-2026-26202

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26202 is a high-severity Path Traversal (CWE-22) vulnerability in Kaleidos Penpot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26202 is an arbitrary file read vulnerability in Penpot, an open-source design tool for design and code collaboration. In versions prior to 2.13.2, the `create-font-variant` RPC endpoint allows an authenticated user to supply a local file path, such as `/etc/passwd`, as a font data chunk. This causes the file contents to be stored and retrievable as a "font" asset, enabling unauthorized access to files on the host filesystem that are readable by the Penpot backend process. The issue is classified under CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any authenticated user with team edit permissions can exploit this vulnerability remotely over the network with low complexity. Attackers can read sensitive system files, application secrets, database credentials, and private keys accessible to the Penpot process. In containerized deployments, the impact is confined to the container's filesystem, though environment variables, mounted secrets, and application configurations remain exposed, potentially facilitating further server compromise.

Penpot version 2.13.2 patches the vulnerability. The fix is detailed in the commit at https://github.com/penpot/penpot/commit/06e5825c8a0209889966a4eb5152efd6ff108626, and further information is available in the security advisory at https://github.com/penpot/penpot/security/advisories/GHSA-xp3f-g8rq-9px2. Security practitioners should upgrade to the patched version and review access controls for team edit permissions.

EU & UK References

Vulnerability details

Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the…

more

`create-font-variant` RPC endpoint, resulting in the file contents being stored and retrievable as a "font" asset. This is an arbitrary file read vulnerability. Any authenticated user with team edit permissions can read arbitrary files accessible to the Penpot backend process on the host filesystem. This can lead to exposure of sensitive system files, application secrets, database credentials, and private keys, potentially enabling further compromise of the server. In containerized deployments, the blast radius may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration are still at risk. Version 2.13.2 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Arbitrary file read via path traversal directly enables collection of local system data including credential files and private keys.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30240Shared CWE-22, CWE-73
CVE-2025-68428Shared CWE-22, CWE-73
CVE-2026-33476Shared CWE-22, CWE-73
CVE-2026-41693Shared CWE-22, CWE-73
CVE-2026-33166Shared CWE-22
CVE-2024-12036Shared CWE-73
CVE-2026-23491Shared CWE-22
CVE-2026-35668Shared CWE-22
CVE-2026-0651Shared CWE-22
CVE-2026-26985Shared CWE-22

Affected Assets

kaleidos
penpot
≤ 2.13.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws like this arbitrary file read vulnerability, directly mitigated by patching to Penpot version 2.13.2.

prevent

SI-10 enforces information input validation at RPC endpoints like create-font-variant to block path traversal sequences in font data chunks.

prevent

AC-6 least privilege limits the Penpot backend process's filesystem access, reducing the blast radius of arbitrary file reads to only permitted locations.

References