Description

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue.

INFO

Published Date :

2026-01-07T22:27:19.410Z

Last Modified :

2026-01-08T20:09:55.184Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21851 vulnerability.

Vendors Products
Monai
  • Monai
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21851.

URL Resource
https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59 cve-icon cve-icon
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact