Bug 2493994 (CVE-2026-13503)

Summary: CVE-2026-13503 antlr: ANTLR4: antlr ANTLR4: Path traversal via manipulation of getImportedVocabFile function
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lchilton, rhel-process-autobot, sfeifer, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in antlr ANTLR4. A remote attacker can exploit a path traversal vulnerability by manipulating the `getImportedVocabFile` function within the `tokenVocab Grammar Option Handler` component. This could allow unauthorized access to sensitive files and directories on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494756, 2494757, 2494758, 2494759, 2494760    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-28 16:01:41 UTC
A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.