CVE-2026-26202 Overview
CVE-2026-26202 is a Path Traversal vulnerability affecting Penpot, an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can exploit improper input validation in the create-font-variant RPC endpoint to read arbitrary files from the server filesystem. By supplying a local file path (e.g., /etc/passwd) as a font data chunk, attackers can retrieve sensitive file contents stored and retrievable as a "font" asset.
Critical Impact
Any authenticated user with team edit permissions can exfiltrate sensitive system files, application secrets, database credentials, and private keys from the Penpot backend server, potentially enabling complete server compromise.
Affected Products
- Penpot versions prior to 2.13.2
- Self-hosted Penpot deployments (containerized and bare-metal)
- Penpot instances with authenticated users having team edit permissions
Discovery Timeline
- 2026-02-19 - CVE-2026-26202 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26202
Vulnerability Analysis
This vulnerability exists in the font variant creation functionality within Penpot's backend RPC layer. The create-font-variant endpoint accepts user-supplied data chunks intended to contain font binary data. However, prior to version 2.13.2, the endpoint failed to properly validate the data type of these chunks, allowing arbitrary file paths to be passed instead of actual font data bytes.
When a local file path such as /etc/passwd is supplied as a font data chunk, the backend reads the file contents from the server's filesystem and stores them as a font asset. The attacker can then retrieve this "font" asset through normal application functionality, effectively exfiltrating the file contents.
The attack surface is limited to authenticated users with team edit permissions, but in collaborative environments this represents a significant trust boundary violation. While containerized deployments may limit exposure to the container filesystem, environment variables, mounted secrets, and application configuration files remain at risk of disclosure.
Root Cause
The root cause is insufficient input validation in the create-font-variant RPC endpoint's schema definition. The original schema accepted ::sm/any type for the font data map values, allowing arbitrary input including file path strings. This permissive type definition enabled attackers to inject local file paths that the backend would then resolve and read.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal.
Attack Vector
The attack is executed over the network by an authenticated user with team edit permissions. The attacker crafts a malicious request to the create-font-variant RPC endpoint, replacing the expected font binary data with a local file path. The server processes this request, reads the specified file, and stores the contents as a retrievable font asset.
(def ^:private schema:create-font-variant
[:map {:title "create-font-variant"}
[:team-id ::sm/uuid]
- [:data [:map-of ::sm/text ::sm/any]]
+ [:data [:map-of ::sm/text [:or ::sm/bytes
+ [::sm/vec ::sm/bytes]]]]
[:font-id ::sm/uuid]
[:font-family ::sm/text]
[:font-weight [::sm/one-of {:format "number"} valid-weight]]
Source: GitHub Commit
The patch restricts the data type to only accept byte arrays (::sm/bytes) or vectors of byte arrays, preventing file path injection.
Detection Methods for CVE-2026-26202
Indicators of Compromise
- Unusual font upload requests containing file path patterns like /etc/, ../, or absolute paths
- Font assets with anomalous content that resembles configuration files or system data
- Excessive font creation activity from a single user or session
- Backend log entries showing file access to sensitive system paths during font operations
Detection Strategies
- Monitor RPC endpoint logs for create-font-variant calls with suspicious payload patterns
- Implement Web Application Firewall (WAF) rules to detect path traversal sequences in request bodies
- Analyze stored font assets for non-binary content or system file signatures
- Review audit logs for users accessing newly created fonts immediately after upload
Monitoring Recommendations
- Enable detailed logging for all font-related RPC endpoints in Penpot
- Set up alerts for file access patterns targeting sensitive directories (e.g., /etc/, /proc/, /var/)
- Monitor for unusual data exfiltration patterns from font asset retrieval endpoints
- Track authenticated user behavior for anomalous font creation and retrieval sequences
How to Mitigate CVE-2026-26202
Immediate Actions Required
- Upgrade Penpot to version 2.13.2 or later immediately
- Audit existing font assets for potential data exfiltration artifacts
- Review access logs for suspicious create-font-variant RPC calls prior to patching
- Rotate any credentials or secrets that may have been exposed on affected systems
Patch Information
Version 2.13.2 contains the security fix for this vulnerability. The patch modifies the schema validation in backend/src/app/rpc/commands/fonts.clj to enforce strict type checking on font data inputs, accepting only byte arrays instead of arbitrary types. Additional schema updates were made in common/src/app/common/schema.cljc to register the ::bytes type predicate.
For detailed patch information, see the GitHub Security Advisory and the commit change.
Workarounds
- Restrict team edit permissions to trusted users only until patching is complete
- Implement network-level restrictions to limit backend filesystem access in containerized deployments
- Deploy a reverse proxy with request inspection to filter path traversal patterns
- Temporarily disable font upload functionality if not business-critical
# Configuration example - Restrict filesystem access in Docker deployments
docker run -d \
--name penpot-backend \
--read-only \
--tmpfs /tmp \
-v penpot-data:/opt/data:ro \
--security-opt=no-new-privileges:true \
penpot/penpot-backend:2.13.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
