HIGH 7.5

CVE-2026-49136: Banana Slides Path Traversal Vulnerability – Arbitrary File Read

Banana Slides version 0.4.0 and earlier contains a path traversal flaw that lets unauthenticated attackers read image files from anywhere on the server, not just the intended uploads folder. An attacker can craft specially formatted markdown in page descriptions to trick the application into opening files from sibling directories. The vulnerability stems from a flawed directory check that doesn't properly validate path boundaries, allowing an attacker to bypass the intended confinement and access sensitive image-format files. This affects all instances of Banana Slides up to version 0.4.0; a fix has been released in commit e8bc490.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate_image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open().

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the generate_image() function of Banana Slides' AI service backend. The application attempts to restrict file access to a designated uploads directory by using os.path.startswith() to validate image paths in user-supplied markdown. However, this check lacks a trailing path separator, creating a bypass: a directory named 'uploads_backup' would pass a startswith('uploads') check even though it is a sibling directory, not a subdirectory of uploads. When PIL's Image.open() is subsequently called on the resolved path, the application reads arbitrary image-format files from unintended locations. The flaw is unauthenticated, accessible via markdown image references in page descriptions, and results in confidentiality loss.

Business impact

An attacker can exfiltrate sensitive image files stored on the same server as the Banana Slides instance without authentication. This may include user-uploaded images, cached assets, system images, or other proprietary visual content. The exposure is particularly concerning for instances hosting confidential diagrams, screenshots, medical imagery, or other sensitive visual data. There is no impact to data integrity or availability, but the confidentiality breach can lead to information disclosure, compliance violations, and reputational harm.

Affected systems

Banana Slides versions 0.4.0 and earlier are vulnerable. The fix was introduced in commit e8bc490, so any deployment updated from that commit forward is patched. Organizations should verify their exact Banana Slides version and check whether their source tree includes the patched commit.

Exploitability

This vulnerability is straightforward to exploit and requires no authentication, special privileges, or user interaction. An attacker simply embeds a crafted markdown image reference in a page description—for example, referencing a sibling directory name that shares the uploads prefix. The application's AI service backend processes the description, generates the image path, and due to the flawed path check, retrieves the file. No CVSS modifiers for attack complexity, privileges, or user interaction apply; the network-based attack surface is direct and accessible to any unauthenticated user.

Remediation

Update Banana Slides to a version that includes the fix from commit e8bc490 or later. Verify the patch by examining the generate_image() function to ensure path validation now includes a trailing path separator (e.g., os.path.join() or explicit separator checks) and properly constrains file access to the intended uploads directory. If an immediate upgrade is not possible, implement network-level controls to restrict access to the Banana Slides instance and disable or restrict the AI image generation feature until patched.

Patch guidance

Apply the patch from commit e8bc490 or later. This commit corrects the path traversal vulnerability in the generate_image() function. After patching, verify that the application no longer accepts crafted markdown image references that resolve to sibling directories. Test with examples such as 'uploads_backup' or 'uploadsX' to confirm the fix prevents bypass. Rebuild and redeploy the application, then confirm in logs that image generation requests now properly reject out-of-bounds paths.

Detection guidance

Monitor application logs for unusual image generation requests, particularly those referencing paths with directory names similar to but distinct from the configured uploads directory (e.g., 'uploads_backup', 'uploadsX'). Search for markdown image references in user-submitted page descriptions that do not conform to expected upload patterns. Check server filesystem access logs for unexpected reads from outside the uploads directory initiated by the Banana Slides process. Implement alerting on failed PIL Image.open() calls or path validation errors in the AI service logs to catch exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.5), unauthenticated attack vector, and direct confidentiality impact. The flaw is trivial to exploit—requiring only crafted markdown input—and affects all versions up to 0.4.0. While the CISA KEV list has not yet included this CVE, the combination of ease of exploitation, zero authentication requirement, and broad applicability makes it a priority for rapid remediation. Organizations should treat this as urgent unless they can confirm they are running a patched version.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects an unauthenticated network-based attack (AV:N/PR:N), low attack complexity (AC:L), no user interaction (UI:N), high confidentiality impact (C:H), and no integrity or availability impact (I:N/A:N). The score appropriately captures the ease and accessibility of the attack but does not account for real-world mitigating factors such as network segmentation, restricted deployment contexts, or the limited value of image files in particular environments. Security teams should use this score as a baseline and adjust local risk rating based on the sensitivity of image data stored in their Banana Slides instances.

Frequently asked questions

How can I tell if my Banana Slides instance has been exploited?

Check server and application logs for unusual image generation requests with suspicious markdown references, failed path validation errors, or attempts to access files outside the uploads directory. Search for access logs showing the Banana Slides process reading from unexpected locations. If available, review markdown content in page descriptions for malicious references inserted by attackers. A full filesystem audit comparing file access timestamps against request logs may reveal exfiltration.

Is there a workaround if I cannot patch immediately?

Yes. Disable the AI image generation feature or restrict access to the Banana Slides instance via network controls (firewall, VPN, authentication gateway) until a patch is applied. Additionally, implement strict input validation on user-supplied markdown to strip or sanitize image references. These mitigations reduce but do not eliminate risk; patching remains the recommended remediation.

Does this vulnerability require the attacker to have uploaded a file first?

No. The vulnerability is in the path traversal logic used to resolve markdown image references in page descriptions. An attacker need not upload any file; they simply craft a markdown reference with a path that bypasses the directory check. The application then attempts to open that arbitrary path via PIL, leading to disclosure of existing files on the server.

Are there known exploits or public proof-of-concept code?

As of the publication date, this analysis does not reference public proof-of-concept code. However, given the simplicity of the vulnerability, security teams should assume that weaponized exploits may be developed and deployed. Patching should not be delayed pending public disclosure of exploits.

This analysis is provided for informational purposes and reflects the CVE record, vendor advisory, and publicly available technical details as of the publication date. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this analysis. Organizations should verify all remediation steps, patch compatibility, and deployment impacts within their own environment. Consult vendor documentation and conduct thorough testing before applying patches to production systems. Actual exploitation risk varies based on deployment architecture, data sensitivity, and network controls. This analysis does not constitute legal advice or guarantee of security compliance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).