PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0847 nltk CVE debrief

CVE-2026-0847 is a high-severity vulnerability in the Natural Language Toolkit (NLTK) library, affecting versions up to and including 3.9.2. The vulnerability is caused by multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader, failing to properly sanitize or validate file paths. This allows attackers to traverse directories and access sensitive files on the server. The issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens. In some cases, it may potentially escalate to remote code execution when combined with other vulnerabilities.

Vendor
nltk
Product
nltk/nltk
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-04
Original CVE updated
2026-06-30
Advisory published
2026-03-04
Advisory updated
2026-06-30

Who should care

Organizations using NLTK versions up to and including 3.9.2 should prioritize patching this vulnerability. This includes developers and administrators working with machine learning APIs, chatbots, or NLP pipelines that process user-controlled file inputs. Additionally, security teams responsible for monitoring and protecting sensitive files and systems should be aware of the potential risks associated with this vulnerability.

Technical summary

The vulnerability is caused by improper sanitization or validation of file paths in multiple CorpusReader classes within the NLTK library. Specifically, the WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader classes are affected. Attackers can exploit this vulnerability to traverse directories and access sensitive files on the server. The CVSS score for this vulnerability is 7.5, indicating a high severity level. The vulnerability is classified under CWE-22, which refers to Improper Limitation of a Pathname to a Restricted Directory.

Defensive priority

High priority should be given to patching this vulnerability, especially in environments where user-controlled file inputs are processed. Immediate action is recommended to prevent potential unauthorized access to sensitive files and systems.

Recommended defensive actions

  • Update NLTK to a version beyond 3.9.2.
  • Implement proper input validation and sanitization for file paths.
  • Monitor and restrict access to sensitive files and systems.
  • Conduct regular security audits and vulnerability assessments.
  • Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent potential attacks.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Multiple references from Red Hat and a security advisory from Huntr offer additional context and potential mitigations. However, the exact scope of affected systems and comprehensive details about exploitation are limited in the provided sources.

Official resources

This article is AI-assisted and based on the supplied source corpus.