High severity7.1NVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026

CVE-2026-6855

Description

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logs_dir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
instructlabPyPI	<= 0.26.1	—

Affected products

Instructlab/Instructlabinferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-pqmg-c2j8-fq92ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6855ghsaADVISORY
access.redhat.com/security/cve/CVE-2026-6855nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000