{"id":"CVE-2026-59094","summary":"Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store","details":"Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.","modified":"2026-07-16T03:31:05.658716379Z","published":"2026-07-02T19:40:50.961Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-407"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59094.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59094.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59094"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/pathway-unauthenticated-denial-of-service-via-exponential-glob-pattern-matching-in-document-store"},{"type":"REPORT","url":"https://github.com/pathwaycom/pathway/pull/250"},{"type":"FIX","url":"https://github.com/pathwaycom/pathway/commit/d09722eef03fd94bba701836eb4c7fbfa3d3b88e"},{"type":"PACKAGE","url":"https://github.com/pathwaycom/pathway"},{"type":"EVIDENCE","url":"https://github.com/pathwaycom/pathway/issues/241"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pathwaycom/pathway","events":[{"introduced":"0"},{"fixed":"3c9582cb81b16fcb786dc32924eaad35426f8c36"},{"fixed":"d09722eef03fd94bba701836eb4c7fbfa3d3b88e"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.31.1"}]}}],"versions":["v0.31.1","v0.31.0","v0.30.1","v0.30.0","v0.29.1","v0.29.0","v0.28.0","v0.27.1","v0.27.0","v0.26.4","v0.26.3","v0.26.2","v0.26.1","v0.26.0","v0.25.1","v0.25.0","v0.24.1","v0.24.0","v0.23.0","v0.22.0","v0.21.6","v0.21.5","v0.21.4","v0.21.3","v0.21.2","v0.21.1","v0.21.0","v0.20.1","v0.20.0","v0.19.0","v0.18.0","v0.17.0","v0.16.4","v0.16.3","v0.16.2","v0.16.1","v0.16.0","v0.15.4","v0.15.3","v0.15.2","v0.15.1","v0.15.0","v0.14.3","v0.14.2","v0.14.1","v0.14.0","v0.13.2","v0.13.1","pathway-0.13.1","v0.13.0","v0.12.0","v0.11.2","v0.11.1","v0.11.0","v0.10.1","v0.10.0","v0.9.0","v0.8.6","v0.8.5","v0.8.4","v0.8.3","v0.8.2","v0.8.1","v0.8.0","v0.7.10","v0.7.9","v0.7.8","v0.7.7","v0.7.6","v0.7.5","v0.7.4","v0.7.3","v0.7.2","v0.7.1","v0.7.0","v0.6.0","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.1","v0.4.0","v0.3.4","v0.3.3","v0.3.2","v0.3.1","v0.3.0","v0.2.1","v0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59094.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}