Cyber Posture

CVE-2026-6855

High

Published: 22 April 2026

Published
22 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 4.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6855 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates path traversal by validating the logs_dir parameter against directory traversal sequences before processing file operations.

SI-2 Flaw Remediation good match
prevent

Requires timely patching and flaw remediation for the specific vulnerability in InstructLab's chat session handler as detailed in the Red Hat advisory.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies to restrict unauthorized file writes to arbitrary system locations by low-privilege local attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Path traversal enables arbitrary file writes to any location, directly facilitating stored data manipulation via overwrites and indirect privilege escalation by targeting critical system files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on…

more

the system, potentially leading to unauthorized data modification or disclosure.

Deeper analysisAI

CVE-2026-6855, published on 2026-04-22, is a path traversal vulnerability (CWE-22) in InstructLab's chat session handler. The flaw allows manipulation of the `logs_dir` parameter, enabling attackers to create new directories and write files to arbitrary locations on the system. This affects InstructLab deployments and has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), rated as high severity due to its potential for unauthorized data modification or disclosure.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. By crafting malicious requests to the chat session handler, the attacker gains the ability to write files outside intended directories, potentially overwriting critical system files, escalating privileges indirectly, or exfiltrating sensitive data through controlled file placements.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-6855 and the associated Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2460013, which likely include patch information and workarounds for affected InstructLab versions.

Details

CWE(s)
CWE-22

CVEs Like This One

CVE-2025-9142Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2025-55282Shared CWE-22
CVE-2025-25371Shared CWE-22
CVE-2025-54307Shared CWE-22
CVE-2026-20688Shared CWE-22
CVE-2026-20615Shared CWE-22
CVE-2026-33747Shared CWE-22
CVE-2025-48567Shared CWE-22
CVE-2026-28827Shared CWE-22

References