Strix
26.1K

CVE-2026-32097

HIGHCVSS 8.6/10EPSS 0.29%

Last modified

CVE-2026-32097 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. EPSS estimates a 0.29% chance of exploitation in the next 30 days.

Description

PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0
8.6/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.29%

20.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
HarvardPingpong< 7.27.2

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-32097?
PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.
How severe is CVE-2026-32097?
CVE-2026-32097 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 0.29% probability of exploitation in the next 30 days.
How do I fix CVE-2026-32097?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-32097?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST