AIL v6.9 introduces several important security improvements, including fixes for path traversal vulnerabilities exploitable by authenticated users, protection against two-factor authentication brute-force attempts, and safeguards preventing crawler access to localhost. This release also improves crawler reliability and adds support for unpacking Lookyloo archives.
Security improvements
- Added a default-enabled option preventing the crawler from accessing localhost and local services.
- Added brute-force protection for two-factor authentication.
- Administrators can now clear global password and user 2FA timeout states.
Two-factor authentication brute-force protection
AIL previously did not restrict repeated failed attempts to verify a two-factor authentication code. An attacker who had successfully completed the password-authentication stage could submit an unlimited number of OTP guesses.
The new protection tracks failed OTP attempts per user, blocks verification for one hour after 30 failed attempts, and clears the counter following successful verification. Administrators can also manually clear it.
- CVE: [CVE-2026-56450 / GCVE-1-2026-20131](https://vulnerability.circl.lu/vuln/gcve-1-2026-20131)
- Severity: Medium
Security fixes
The following path traversal vulnerabilities could only be exploited by users who were already authenticated and logged in to AIL. They were not exploitable by unauthenticated users.
Investigation download path traversal
Fixed a path traversal vulnerability in /investigation/download. An authenticated AIL user could supply crafted object identifiers through the investigation workflow, potentially allowing files accessible to the AIL process to be included in and retrieved through a generated archive.
- CVE: [CVE-2026-56448 / GCVE-1-2026-20088](https://vulnerability.circl.lu/vuln/gcve-1-2026-20088)
- Severity: High
Item comparison path traversal
Fixed a path traversal vulnerability in /objects/item/diff. An authenticated AIL user could provide crafted item identifiers through the s1 and s2 parameters, potentially allowing the application to read files accessible to the AIL process.
Exploitation was limited to files compatible with the expected gzip-compressed item format.
- CVE: [CVE-2026-56138 / GCVE-1-2026-20114](https://vulnerability.circl.lu/vuln/gcve-1-2026-20114)
- Severity: Medium
Users are encouraged to upgrade to AIL v6.9.
Crawler improvements
- Added support for unpacking Lookyloo archives.
- Improved the crawler settings interface.
- Fixed invalid
about:blankvalues being stored aslast_redirected_url. - Fixed monthly recrawling of unavailable domains.
- Added handling for Lacus “Too many open files” errors. Affected domains are now returned to the crawler queue for another attempt.
Acknowledgements
We thank the following reporters for responsibly disclosing vulnerabilities and helping improve AIL:
- Tomás Illuminati
- geo-chen
- Stephen O