Cyber Resilience

CVE-2026-32097

High

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32097 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Harvard Pingpong. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32097 is an authorization bypass vulnerability (CWE-639) affecting the PingPong platform, an open-source tool for using large language models (LLMs) in teaching and learning environments. In versions prior to 7.27.2, the platform fails to properly enforce file access controls, allowing authenticated users to retrieve or delete files beyond their intended authorization scope. This includes private files such as user-uploaded content and model-generated outputs. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An attacker with a low-privilege authenticated account can exploit this issue over the network with low complexity and no user interaction required. For file retrieval, the attacker needs only permission to view at least one thread; for deletion, permission to participate in at least one thread suffices. Successful exploitation enables unauthorized access to or destruction of sensitive files belonging to other users, potentially leading to data theft or disruption in shared LLM-based educational workflows.

The GitHub security advisory (GHSA-4wwr-5wq7-mgm4) confirms the issue is fully resolved in PingPong version 7.27.2, recommending immediate upgrades for all prior installations. No additional workarounds are specified, emphasizing patching as the primary mitigation.

This vulnerability is particularly relevant to AI/ML deployments in educational settings, as PingPong handles LLM-generated outputs that may contain proprietary or sensitive data. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-03-11.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or…

more

deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Authorization bypass enables file retrieval (T1005) and deletion (T1485) by authenticated users; exploitation requires valid low-privilege accounts (T1078) against a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45671Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-41949Shared CWE-639
CVE-2026-45398Shared CWE-639
CVE-2026-41947Shared CWE-639
CVE-2025-69207Shared CWE-639
CVE-2026-45402Shared CWE-639
CVE-2026-41279Shared CWE-639
CVE-2026-44570Shared CWE-639
CVE-2026-28788Shared CWE-639

Affected Assets

harvard
pingpong
≤ 7.27.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for file access, preventing authenticated users from retrieving or deleting files outside their intended scope.

prevent

Prompt identification, reporting, and correction of flaws like this authorization bypass ensures timely patching to version 7.27.2.

prevent

Principle of least privilege limits the access of low-privilege authenticated users, reducing the potential impact of authorization bypass exploitation.

References