CRITICAL🇵🇱 Wersja polska

CVE-2026-33054

CVSS 10.0v3.1pub. 2026-03-20upd. 2026-03-24

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

🤖 AI Analysis
How it works

The attacker provides a crafted state_token parameter in the request payload to the UI stream endpoint. The vulnerable implementation does not properly validate this value, allowing the file-based backend (FileStateSessionBackend) to be directed to any file on the server disk. If the indicated file is not in msgpack format (expected by the application), a read error occurs causing a crash loop and denial of service (DoS). The attacker can also overwrite or delete system resources outside application boundaries.

Impact

An unauthenticated attacker can cause multiple application crashes (crash loop, DoS), as well as arbitrarily overwrite or delete files on the server disk outside the application scope, which can lead to permanent damage or data loss.

Mitigation & patch

Mesop should be updated to version 1.2.3, in which the vulnerability has been fixed. The patch is available in the GitHub repository (commit c6b382f363b73ac32c402a2db3aadc7784f66a5b) and as an official v1.2.3 release.

Who is affected

Mesop (mesop-dev/mesop) in versions 1.2.2 and earlier, particularly installations using FileStateSessionBackend as the session backend.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Mesop Dev Mesop

    APP
    Mesop-Dev
    < 1.2.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalDoS
CWE
References

Related vulnerabilities

CVE-2026-33057CRITICAL9.8PL ✓ten sam produkt

RCE w Mesop — nieuwierzytelniony endpoint /exec-py wykonuje kod Python

CVE-2026-34824HIGH7.5ten sam produkt

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before...