CVE-2026-26002 in ondemand
Summary
by MITRE • 03/05/2026
Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-26002 affects Open OnDemand, a widely-used open-source portal for high-performance computing environments that provides web-based access to computational resources. This portal serves as a critical interface for researchers and scientists to manage their computational workflows, job submissions, and file management within HPC clusters. The Files application component within Open OnDemand represents a core functionality that allows users to navigate and interact with file systems on remote computing nodes. The vulnerability specifically impacts versions prior to 4.0.9 and 4.1.3, creating a significant security risk for organizations relying on these older versions for their computational infrastructure management.
The technical flaw manifests in the manner the Files application processes directory navigation requests, where insufficient input validation allows malicious actors to inject harmful data during directory traversal operations. This vulnerability falls under the category of insufficient input validation as defined by CWE-20, which represents one of the most common security weaknesses in software applications. When users navigate directories within the portal, the application fails to properly sanitize or validate the input parameters that define the target directory path, creating an opportunity for attackers to manipulate the navigation behavior through crafted input sequences. The vulnerability essentially allows for arbitrary directory traversal through improper handling of user-supplied path information, potentially enabling unauthorized access to files and directories beyond the intended scope of user permissions.
The operational impact of this vulnerability extends beyond simple directory traversal, as it could potentially allow attackers to access sensitive computational resources, view restricted files, or even execute unauthorized operations within the HPC environment. This represents a critical concern for organizations managing sensitive research data, proprietary algorithms, or classified computational workloads where unauthorized access could result in significant data breaches or intellectual property exposure. The vulnerability affects the fundamental security model of the portal, potentially undermining the access controls and permission mechanisms that are essential for maintaining secure multi-user HPC environments. Organizations using affected versions face the risk of unauthorized data access, potential system compromise, and violation of compliance requirements for data protection and access control.
Security practitioners should immediately prioritize the upgrade of affected Open OnDemand installations to versions 4.0.9 or 4.1.3, which contain the necessary patches to address the input validation flaws. The remediation process should include comprehensive testing of the updated environment to ensure that all directory navigation functionality operates correctly while maintaining the security enhancements. Organizations should also conduct thorough security assessments of their HPC environments to identify any potential exploitation attempts that may have occurred prior to the patch deployment. The vulnerability demonstrates the importance of maintaining current software versions in high-security environments and highlights the need for regular security updates and vulnerability management processes. From an ATT&CK framework perspective, this vulnerability aligns with techniques related to privilege escalation and credential access, as it could potentially enable attackers to gain unauthorized access to restricted computational resources and data within the HPC ecosystem.