CVE-2026-21851 – This CVE describes a Path Traversal (Zip Slip) ... (How to Fix)

Q: What is the severity of CVE-2026-21851?

CVE-2026-21851 has a CVSS score of 5.3 (MEDIUM). This CVE describes a Path Traversal (Zip Slip) vulnerability in MONAI's _download_from_ngc_private() function that allows attackers to write arbitrary files outside the intended extraction directory. The vulnerability affects MONAI versions up to 1.5.1 when using the affected function to download private NGC datasets. Users who download private datasets via this function are at risk.

📋 TL;DR

This CVE describes a Path Traversal (Zip Slip) vulnerability in MONAI's _download_from_ngc_private() function that allows attackers to write arbitrary files outside the intended extraction directory. The vulnerability affects MONAI versions up to 1.5.1 when using the affected function to download private NGC datasets. Users who download private datasets via this function are at risk.

💻 Affected Systems

Products:

MONAI (Medical Open Network for AI)

Versions: Up to and including version 1.5.1

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the _download_from_ngc_private() function; other download functions use safe_extract_member() properly.

📦 What is this software?

Monai by Project Monai

View all CVEs affecting Monai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via arbitrary file overwrite, potentially leading to complete system compromise if malicious archives are processed with elevated privileges.

🟠

Likely Case

Arbitrary file overwrite in the extraction directory context, potentially corrupting system files or planting backdoors.

🟢

If Mitigated

Limited to file writes within user permissions, potentially causing data corruption but not privilege escalation.

🌐 Internet-Facing: MEDIUM - Requires processing malicious archives from untrusted sources, but function is for private NGC downloads which may involve external data.

🏢 Internal Only: LOW - Internal use with trusted archives poses minimal risk unless supply chain is compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple archive manipulation required.

Exploitation requires crafting malicious zip archives with path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 4014c8475626f20f158921ae0cf98ed259ae4d59

Vendor Advisory: https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27

Restart Required: No

Instructions:

1. Update MONAI to version after commit 4014c8475626f20f158921ae0cf98ed259ae4d59. 2. Use pip install --upgrade monai. 3. Verify the fix by checking the function uses safe_extract_member().

🔧 Temporary Workarounds

Avoid _download_from_ngc_private() function

all

Temporarily stop using the vulnerable function until patched.

Manual archive validation

all

Manually validate zip file members before extraction.

# Python snippet to validate paths
import zipfile
import os

def safe_extract(zip_path, extract_dir):
    with zipfile.ZipFile(zip_path) as zf:
        for member in zf.namelist():
            target_path = os.path.join(extract_dir, member)
            if not os.path.commonpath([extract_dir, os.path.abspath(target_path)]) == os.path.abspath(extract_dir):
                raise ValueError('Path traversal attempt detected')

🧯 If You Can't Patch

Restrict use of _download_from_ngc_private() to trusted sources only.
Run MONAI with minimal user permissions to limit file write scope.

🔍 How to Verify

Check if Vulnerable:

Check if MONAI version is ≤1.5.1 and if code uses _download_from_ngc_private() function.

Check Version:

python -c "import monai; print(monai.__version__)"

Verify Fix Applied:

Verify the function now uses safe_extract_member() instead of zipfile.ZipFile.extractall() directly.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes outside extraction directories
Errors from path validation failures

Network Indicators:

Downloads from NGC private repositories triggering extraction

SIEM Query:

Process execution with arguments containing 'monai' AND file write operations with '..' in path

📊 Metadata

CVE ID: CVE-2026-21851

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-22

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: January 7, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59 Patch
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27 Exploit,Vendor Advisory,Mitigation
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27 Exploit,Vendor Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21851, you might also want to check these: