CVE-2026-22777 – ComfyUI-Manager extension versions before 3.39.... (How to Fix)

Q: What is the severity of CVE-2026-22777?

CVE-2026-22777 has a CVSS score of 7.5 (HIGH). ComfyUI-Manager extension versions before 3.39.2 and 4.0.5 contain an injection vulnerability where attackers can manipulate HTTP query parameters to inject arbitrary configuration values into config.ini. This allows tampering with security settings or altering application behavior. Users running vulnerable versions of ComfyUI-Manager are affected.

📋 TL;DR

ComfyUI-Manager extension versions before 3.39.2 and 4.0.5 contain an injection vulnerability where attackers can manipulate HTTP query parameters to inject arbitrary configuration values into config.ini. This allows tampering with security settings or altering application behavior. Users running vulnerable versions of ComfyUI-Manager are affected.

💻 Affected Systems

Products:

ComfyUI-Manager

Versions: All versions before 3.39.2 and 4.0.5

Operating Systems: All platforms running ComfyUI

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations using vulnerable ComfyUI-Manager extension versions.

📦 What is this software?

Comfyui Manager by Comfy

View all CVEs affecting Comfyui Manager →

Comfyui Manager by Comfy

View all CVEs affecting Comfyui Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ComfyUI security settings leading to unauthorized access, data exposure, or malicious code execution through configuration manipulation.

🟠

Likely Case

Unauthorized modification of application behavior, potential privilege escalation, or disruption of normal ComfyUI operations.

🟢

If Mitigated

Limited impact with proper input validation and access controls, potentially only affecting non-critical configuration values.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires HTTP access to the vulnerable endpoint with specially crafted query parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.39.2 or 4.0.5

Vendor Advisory: https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2

Restart Required: Yes

Instructions:

1. Update ComfyUI-Manager extension to version 3.39.2 or 4.0.5. 2. Restart ComfyUI service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to filter special characters in HTTP query parameters

# Requires custom middleware implementation

Access Restriction

all

Restrict HTTP access to ComfyUI-Manager endpoints

# Configure firewall rules or web server access controls

🧯 If You Can't Patch

Implement strict input validation for all HTTP query parameters
Restrict network access to ComfyUI-Manager endpoints using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check ComfyUI-Manager extension version in ComfyUI interface or extension directory

Check Version:

# Check ComfyUI-Manager version in ComfyUI web interface under 'Manager' section

Verify Fix Applied:

Verify ComfyUI-Manager version is 3.39.2 or 4.0.5 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests with special characters in query parameters
Unexpected modifications to config.ini file

Network Indicators:

HTTP requests containing special characters like ;, &, |, >, < in query parameters to ComfyUI-Manager endpoints

SIEM Query:

http.url:*comfyui* AND http.query:*[;|&|>|<]*

📊 Metadata

CVE ID: CVE-2026-22777

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-93

EPSS Score: 0.05% exploit probability (13.7th percentile)

Published: January 10, 2026

Last Updated: February 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22777, you might also want to check these: