Auth bypass in Comppolicylab Pingpong

CVE-2026-32097

PingPong is a platform for using large language models (LLMs) for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in re…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (26.5th percentile) — read the EPSS interpretation.

Affected products

Comppolicylab Pingpong — versions < 7.27.2

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/comppolicylab/pingpong/security/advisories/GHSA-4wwr-5wq7-mgm4 (x_refsource_CONFIRM)