CVE-2026-22777
ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Description
## Impact **Vulnerability Type**: CRLF Injection via ConfigParser An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the `config.ini` file. This can lead to security setting tampering or modification of application behavior. **Affected Users**: Users running ComfyUI-Manager in environments where ComfyUI is configured with the `--listen` option to allow remote access. **CVSS Score**: 7.5 (High) ## Patches Fixed in the following versions: - **3.39.2** (v3.x branch) - **4.0.5** (v4.x branch) Sanitization logic was added to the `write_config()` function to remove CRLF and NULL characters from all string values. ## Workarounds If upgrading is not possible: - Run ComfyUI-Manager only on trusted networks - Block external access via firewall - Run on localhost only without the `--listen` option ## References - [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html) - [OWASP CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection) ## Credit This vulnerability was reported by: - 李存义 <[email protected]> - D0n9 Li <[email protected]> - Swings <[email protected]> - Osword from SGLAB of Legendsec at Qi'anxin Group <[email protected]>
How to fix CVE-2026-22777
To remediate CVE-2026-22777, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.5 or later
Is CVE-2026-22777 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.0.5