Cyber Posture

CVE-2026-40035

CriticalPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy,…

more

allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires information input validation at config parsing points, directly preventing non-empty strings from enabling Flask debug mode and exposing the Werkzeug debugger.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, addressing this improper input validation vulnerability through patching as recommended in the advisories.

CM-6 Configuration Settings partial match
prevent

CM-6 enforces secure configuration settings that explicitly disable debug mode, providing a workaround to mitigate erroneous enabling via config parsing.

Security SummaryAI

CVE-2026-40035 is an improper input validation vulnerability (CWE-489) in the config parsing of Unfurl, an open-source tool from Obsidian Forensics used in digital forensics and incident response. Versions of Unfurl through 2025.08 are affected. The issue arises because the debug configuration value is read as a string and passed directly to Flask's app.run() method, causing any non-empty string to evaluate as truthy and enable debug mode by default. This exposes the Werkzeug debugger in the Flask application.

Remote attackers require no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, score 9.1) to exploit the vulnerability over the network. By triggering the debug mode through crafted configuration inputs, attackers can access the Werkzeug debugger console, enabling them to disclose sensitive information from the application's environment or achieve remote code execution.

Advisories providing mitigation guidance include the GitHub security advisory at https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2 and the VulnCheck analysis at https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing. Security practitioners should review these for patching instructions and configuration workarounds.

Details

CWE(s)
CWE-489

Affected Products

ryandfir
unfurl
≤ 2025.08

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-40035 enables remote exploitation of a public-facing Flask application in the Unfurl DFIR tool via improper input validation in config parsing, triggering Werkzeug debugger exposure for sensitive information disclosure and RCE without privileges or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References