CVE-2026-13493 Overview
CVE-2026-13493 affects AIDC-AI ComfyUI-Copilot up to version 2.0.28. The flaw resides in the backend/controller/conversation_api.py file within the Workflow Checkpoint Restore Handler component. An authenticated remote attacker can manipulate resource identifiers passed to the handler, leading to improper control of resource identifiers [CWE-99]. The vulnerability requires high attack complexity, and public exploit code has been disclosed. A pull request addressing the issue is pending acceptance in the upstream repository. See the GitHub Issue #149 and Pull Request #150 for tracking status.
Critical Impact
A remote authenticated attacker can manipulate checkpoint restore identifiers to influence resource resolution within ComfyUI-Copilot, with limited confidentiality impact and no direct impact on integrity or availability.
Affected Products
- AIDC-AI ComfyUI-Copilot versions up to and including 2.0.28
- Component: Workflow Checkpoint Restore Handler (backend/controller/conversation_api.py)
- Deployments exposing the ComfyUI-Copilot backend API to network-reachable users
Discovery Timeline
- 2026-06-28 - CVE-2026-13493 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-13493
Vulnerability Analysis
The vulnerability is classified under [CWE-99] Improper Control of Resource Identifiers, commonly known as Resource Injection. ComfyUI-Copilot is an AI assistant plugin for ComfyUI that manages workflow conversations and checkpoint state. The Workflow Checkpoint Restore Handler consumes identifiers supplied through the conversation API and uses them to resolve stored checkpoint resources. Because the identifier is not adequately validated against an allow-list or sanitized before resolution, an attacker can submit crafted values that redirect the handler toward unintended resources.
Exploitation requires network access to the API and a low-privileged account. The attack complexity is rated high, reflecting the specific request shaping needed for successful manipulation. Public exploit information is available through the VulDB entry.
Root Cause
The root cause is the absence of strict validation on resource identifiers accepted by the checkpoint restore logic in conversation_api.py. User-controlled input flows into resource resolution routines without normalization or boundary enforcement, allowing the handler to reference resources outside the intended scope.
Attack Vector
An attacker with a valid low-privileged session issues crafted requests to the conversation API endpoint responsible for restoring workflow checkpoints. By supplying manipulated identifier values, the attacker can influence which resources the handler resolves. The vulnerability is network-reachable and does not require user interaction. No verified exploitation code is reproduced here; technical details are available in the referenced GitHub Issue #149.
Detection Methods for CVE-2026-13493
Indicators of Compromise
- Unusual POST requests to the ComfyUI-Copilot conversation API referencing checkpoint restore operations with unexpected identifier formats
- Application logs from conversation_api.py showing checkpoint restore attempts referencing resources outside the authenticated user's workspace
- Repeated failed or malformed checkpoint restore calls from a single authenticated session
Detection Strategies
- Enable verbose logging on the ComfyUI-Copilot backend and alert on checkpoint restore calls with identifiers containing traversal sequences, absolute paths, or non-standard characters
- Correlate authenticated API activity with source IP reputation and session behavior to surface anomalous identifier manipulation
- Baseline expected checkpoint identifier patterns per user and flag deviations for review
Monitoring Recommendations
- Ingest ComfyUI-Copilot application and reverse-proxy logs into a centralized logging or SIEM platform for retention and query
- Monitor egress from hosts running ComfyUI-Copilot for unexpected file reads or outbound connections following checkpoint restore activity
- Track upstream repository activity on Pull Request #150 to detect when a fix is merged and released
How to Mitigate CVE-2026-13493
Immediate Actions Required
- Restrict network exposure of the ComfyUI-Copilot backend to trusted internal networks or VPN-reachable segments only
- Audit accounts with access to the ComfyUI-Copilot API and remove unused or shared credentials
- Review historical logs from conversation_api.py for evidence of prior checkpoint restore manipulation
Patch Information
At publication, no official patched release is available. A fix is proposed in Pull Request #150 against the AIDC-AI ComfyUI-Copilot repository and awaits acceptance. Operators should track the pull request and upgrade once a fixed version supersedes 2.0.28.
Workarounds
- Place the ComfyUI-Copilot backend behind an authenticating reverse proxy that enforces strict input validation on checkpoint identifier parameters
- Apply web application firewall rules that reject requests containing path traversal sequences or unexpected characters in checkpoint identifier fields
- Run ComfyUI-Copilot under a dedicated least-privileged system account with filesystem access limited to its own working directories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

