Primary

Context

Open OnDemand Allowlist Bypass Vulnerability Leading to Unauthorized File Access

Vulnerability

Patched

A vulnerability in Open OnDemand, an open-source HPC portal, prior to versions 4.0.8 and 3.1.16, allows users to perform a 'Time of Check to Time of Use' (TOCTOU) attack when downloading zip files. This exploitation can lead to accessing files outside of the designated allowlist. The issue affects sites utilizing the file browser allowlists in all current Open OnDemand versions, although accessed files remain protected by UNIX permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized access of files outside the user's allowlist, although such files would still be subject to UNIX permission restrictions.

Remediation

Users can upgrade to Open OnDemand versions 4.0.8 or 3.1.16, both of which have been patched for this vulnerability.

Added: Nov 20, 2025, 5:20 PM

Updated: Nov 20, 2025, 5:20 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open OnDemand Allowlist Bypass Vulnerability Leading to Unauthorized File Access

Vulnerability

Impact

Remediation

Affected Products

Open OnDemand

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating