Critical severity10.0NVD Advisory· Published Dec 12, 2024· Updated Apr 15, 2026

CVE-2024-21574

Description

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.

Patches

ffc095a3e5ac

https://github.com/comfy-org/comfyui-managervia osv

ffc095a3e5ac

https://github.com/ltdrdata/ComfyUI-Managervia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3e5acc1c404773a0510e6d055a6a72b0e/glob/manager_server.pynvd
github.com/ltdrdata/ComfyUI-Manager/commit/ffc095a3e5acc1c404773a0510e6d055a6a72b0envd

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.007
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000