AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-40086: Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server al

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 10, 2026CVE-2026-40086

Summary

Rembg, a tool that removes image backgrounds, has a path traversal vulnerability (a flaw where attackers can access files outside the intended directory) in its HTTP server before version 2.0.75. An unauthenticated attacker can send a malicious request with a crafted model_path parameter to read arbitrary files from the server, potentially revealing file contents through error messages.

Solution / Mitigation

This vulnerability is fixed in version 2.0.75. Users should update to rembg 2.0.75 or later.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

April 10, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-22 CWE-73

CAPEC (Attack Pattern)

CAPEC-126

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40086

First tracked: April 10, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 95%