<Vulnerability name="CVE-2026-12243">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-30T00:14:35</PublicDate>
    <Bugzilla id="2494748" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494748" xml:lang="en:us">
nltk: NLTK: Information disclosure via path traversal vulnerability
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in NLTK. An attacker can exploit a path traversal vulnerability by providing specially crafted input to `nltk.data.load()` or `nltk.data.find()`. This allows the attacker to read arbitrary files accessible to the Python process, leading to information disclosure. The vulnerability arises from an incomplete fix that fails to account for percent-encoded traversal sequences.
    </Details>
    <Statement xml:lang="en:us">
A path traversal flaw was found in NLTK's resource loading functions (nltk.data.load() and nltk.data.find()). The vulnerability allows arbitrary file reads when an attacker can control the resource_name parameter by using percent-encoded path separators to bypass validation. In Red Hat products where NLTK is bundled (OpenShift AI, OpenShift Lightspeed, Ansible Automation Platform), the resource loading functions are typically used internally to load pre-packaged NLP models and corpora. Exploitation requires that untrusted user input is passed directly to these functions without additional sanitization.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not pass untrusted or user-controlled input directly to nltk.data.load() or nltk.data.find(). Validate and sanitize any resource name parameter before use, rejecting values containing percent-encoded characters (%2f, %2e) or path traversal sequences. As defense-in-depth, set nltk.pathsec.ENFORCE = True in application code to enable file-read restrictions at the open stage (disabled by default).
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Affected</FixState>
        <PackageName>exploit-intelligence-tech-preview/vulnerability-analysis-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-lightspeed/lightspeed-ocp-rag-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-lightspeed/lightspeed-service-api-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Will not fix</FixState>
        <PackageName>ansible-automation-platform-25/lightspeed-chatbot-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-llama-stack-core-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-ta-lmes-job-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-trustyai-nemo-guardrails-server-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-12243
https://nvd.nist.gov/vuln/detail/CVE-2026-12243
https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1
    </References>
</Vulnerability>