PingPong: Authenticated users can access or delete private files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

PingPong: Authenticated users can access or delete private files

CVE-2026-32097

Summary

Authenticated users on PingPong can access or delete private files, including user-uploaded files and model-generated content, if they have permission to view or participate in a thread. This could compromise sensitive information. PingPong has fixed this issue in version 7.27.2, so update to this version to prevent the problem.

Original title

Original description

PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploaded files and model-generated output files. Exploitation required authentication and permission to view at least one thread for retrieval, and authentication and permission to participate in at least one thread for deletion. This vulnerability is fixed in 7.27.2.

nvd CVSS4.0 8.6

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/comppolicylab/pingpong/security/advisories/GHSA-4wwr-5wq7-mgm...

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026