CVE-2026-40035
Published: 08 April 2026
Summary
CVE-2026-40035 is a critical-severity Active Debug Code (CWE-489) vulnerability in Ryandfir Unfurl. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires information input validation at config parsing points, directly preventing non-empty strings from enabling Flask debug mode and exposing the Werkzeug debugger.
SI-2 mandates timely flaw remediation, addressing this improper input validation vulnerability through patching as recommended in the advisories.
CM-6 enforces secure configuration settings that explicitly disable debug mode, providing a workaround to mitigate erroneous enabling via config parsing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-40035 enables remote exploitation of a public-facing Flask application in the Unfurl DFIR tool via improper input validation in config parsing, triggering Werkzeug debugger exposure for sensitive information disclosure and RCE without privileges or interaction.
NVD Description
Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy,…
more
allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.
Deeper analysisAI
CVE-2026-40035 is an improper input validation vulnerability (CWE-489) in the config parsing of Unfurl, an open-source tool from Obsidian Forensics used in digital forensics and incident response. Versions of Unfurl through 2025.08 are affected. The issue arises because the debug configuration value is read as a string and passed directly to Flask's app.run() method, causing any non-empty string to evaluate as truthy and enable debug mode by default. This exposes the Werkzeug debugger in the Flask application.
Remote attackers require no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, score 9.1) to exploit the vulnerability over the network. By triggering the debug mode through crafted configuration inputs, attackers can access the Werkzeug debugger console, enabling them to disclose sensitive information from the application's environment or achieve remote code execution.
Advisories providing mitigation guidance include the GitHub security advisory at https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2 and the VulnCheck analysis at https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing. Security practitioners should review these for patching instructions and configuration workarounds.
Details
- CWE(s)