| Title | ComfyUI ComfyUI-Manager <= v3.35.0 9.8 (CRITICAL) |
|---|
| Description | ComfyUI-Manager prior to v3.38.0 contains a critical authentication bypass vulnerability that allows unauthenticated attackers to achieve Remote Code Execution (RCE) on the underlying server.
The vulnerability arises from an insecure file path configuration where the Manager stores configuration files in the `user/default/ComfyUI-Manager/` directory. The `default` user directory is accessible via the `/userdata` API endpoint without authentication. An attacker can:
1. Upload a malicious snapshot file containing arbitrary Git repository URLs
2. Trigger the snapshot restoration process
3. Upon ComfyUI restart, the Manager automatically clones the specified Git repository and executes any `install.py` script found within |
|---|
| Source | ⚠️ https://github.com/nn0nkey/nn0nkey/blob/main/comfy.md |
|---|
| User | nn0nkey (UID 74287) |
|---|
| Submission | 01/09/2026 10:14 (5 months ago) |
|---|
| Moderation | 01/11/2026 10:38 (2 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 339553 [ComfyUI-Manager up to 3.37 Web Interface unprotected alternate channel] |
|---|
| Points | 0 |
|---|