CVE-2026-26202
Published: 19 February 2026
Summary
CVE-2026-26202 is a high-severity Path Traversal (CWE-22) vulnerability in Kaleidos Penpot. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via path traversal directly enables collection of local system data including credential files and private keys.
NVD Description
Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the…
more
`create-font-variant` RPC endpoint, resulting in the file contents being stored and retrievable as a "font" asset. This is an arbitrary file read vulnerability. Any authenticated user with team edit permissions can read arbitrary files accessible to the Penpot backend process on the host filesystem. This can lead to exposure of sensitive system files, application secrets, database credentials, and private keys, potentially enabling further compromise of the server. In containerized deployments, the blast radius may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration are still at risk. Version 2.13.2 contains a patch for the issue.
Deeper analysisAI
CVE-2026-26202 is an arbitrary file read vulnerability in Penpot, an open-source design tool for design and code collaboration. In versions prior to 2.13.2, the `create-font-variant` RPC endpoint allows an authenticated user to supply a local file path, such as `/etc/passwd`, as a font data chunk. This causes the file contents to be stored and retrievable as a "font" asset, enabling unauthorized access to files on the host filesystem that are readable by the Penpot backend process. The issue is classified under CWE-22 (Path Traversal) and CWE-73 (External Control of File Name or Path), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any authenticated user with team edit permissions can exploit this vulnerability remotely over the network with low complexity. Attackers can read sensitive system files, application secrets, database credentials, and private keys accessible to the Penpot process. In containerized deployments, the impact is confined to the container's filesystem, though environment variables, mounted secrets, and application configurations remain exposed, potentially facilitating further server compromise.
Penpot version 2.13.2 patches the vulnerability. The fix is detailed in the commit at https://github.com/penpot/penpot/commit/06e5825c8a0209889966a4eb5152efd6ff108626, and further information is available in the security advisory at https://github.com/penpot/penpot/security/advisories/GHSA-xp3f-g8rq-9px2. Security practitioners should upgrade to the patched version and review access controls for team edit permissions.
Details
- CWE(s)