Pathway disclosed and fixed CVE-2026-59094, a high-severity denial-of-service flaw affecting versions through 0.31.1. The vulnerability lies in the document-store and RAG REST servers, where attacker-controlled filepath_globpattern input is processed by a hand-written recursive glob matcher. Patterns containing repeated ** tokens can trigger exponential-time evaluation without memoization, allowing a remote unauthenticated attacker to drive heavy CPU consumption and deny service through exposed HTTP endpoints including /v1/inputs, /v1/retrieve, and /v2/answer.
The issue report said a short non-matching pattern with 14 ** segments produced roughly 40 million recursive calls and could pin a worker CPU core for more than 30 seconds per indexed document. Pathway addressed the flaw in commit d09722e and merged the fix through pull request #250, replacing the recursive logic with a memoized dynamic-programming approach and adding regression and performance tests showing pathological inputs now complete in under 0.5 seconds. Advisories also recommended limiting glob-pattern complexity, enforcing length and ** count restrictions, and validating user-supplied patterns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Advisories published details for CVE-2026-59094, describing an unauthenticated denial-of-service vulnerability in Pathway through version 0.31.1 caused by exponential glob pattern matching in the document store. The advisories noted that remote attackers could abuse unauthenticated HTTP endpoints with a small number of crafted requests and identified commit d09722e as the fix.
A Pathway commit replaced the vulnerable recursive "**" glob expansion logic with a memoized dynamic-programming approach to eliminate the exponential-time behavior. The change also updated the changelog and added a regression test showing the previously pathological pattern completed in under 0.5 seconds.
Pathway merged pull request #250, which implemented a memoized dynamic-programming fix for the exponential glob-matching denial-of-service issue and included related regression and performance test updates. The PR explicitly referenced issue #241 and was merged after checks passed.
A GitHub issue disclosed that Pathway Live Data Framework 0.31.1 was vulnerable to unauthenticated denial of service via exponential-complexity glob matching in filepath_globpattern on document-store and RAG REST endpoints. The report described affected endpoints, attack conditions, and testing showing severe CPU consumption from crafted patterns.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourcevulncheck.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.