CVE-2026-13503 antlr CVE debrief

Who should care

Organizations using ANTLR4 up to version 4.13.2 should be aware of this vulnerability and take steps to mitigate it. This vulnerability can be exploited remotely, and a public exploit is available, making it a significant risk. Security teams and developers using ANTLR4 should prioritize patching or mitigating this vulnerability.

Technical summary

The vulnerability is caused by a path traversal issue in the getImportedVocabFile function of the TokenVocabParser.java file. This function is part of the tokenVocab Grammar Option Handler in ANTLR4. The vulnerability has a CVSS score of 5.5 and a severity rating of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness associated with this vulnerability is CWE-22.

Defensive priority

This vulnerability should be prioritized for remediation due to its MEDIUM severity rating and the availability of a public exploit. Organizations should patch or mitigate this vulnerability as soon as possible to prevent potential attacks.

Recommended defensive actions

• Patch ANTLR4 to version 4.13.3 or later
• Implement input validation and sanitization for the tokenVocab Grammar Option Handler
• Monitor for suspicious activity related to ANTLR4
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks
• Perform a thorough inventory of systems using ANTLR4 and prioritize patching

Evidence notes

The CVE record and NVD detail pages provide information on this vulnerability. The CVE record was published on June 28, 2026, and the NVD detail page was last modified on June 28, 2026. The vulnerability was detected in ANTLR4 up to version 4.13.2, and a public exploit is available.

Official resources