CVE-2026-32097
PingPong has improper access control in thread file endpoints allows access outside intended scope
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
| CWE | CWE-639 |
| Vendor | comppolicylab |
| Product | pingpong |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for comppolicylab pingpong
Be the first to know when new unknown vulnerabilities affecting comppolicylab pingpong are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
comppolicylab / pingpong
< 7.27.2