CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-53598

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 18, 2026·6 min read·3 visits

Executive Summary (TL;DR)

Microsoft Prompty loaders before 2.0.0-beta.2 are vulnerable to arbitrary file read via directory traversal, absolute paths, or symbolic link escapes within frontmatter `${file:...}` sequence expansions.

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Vulnerability Overview

The Microsoft Prompty ecosystem provides cross-language runtimes designed to load and parse prompt templates stored in the .prompty file format. This format combines frontmatter configurations, containing metadata and execution parameters, with a markdown template body representing the prompt text. The parser allows developers to configure environment and file-level requirements directly inside the frontmatter parameters.

To facilitate structured prompts, the specification supports a reference expansion feature where sequence indicators like ${file:<path>} are evaluated dynamically. When the loader encounters this pattern, it resolves the designated path and embeds the file contents directly into the parsing tree. This sequence is evaluated across the Python, C#, Node.js/TypeScript, and Rust implementations.

Prior to version 2.0.0-beta.2, the implementation of the reference parser failed to perform boundary-containment checks during file resolution. This allowed any processed .prompty configuration file containing directory traversal or absolute paths to escape the authorized prompt directory. As a result, an attacker-controlled configuration file could leak sensitive operating system and application files.

Root Cause Analysis

The core issue resides in the dynamic reference-resolution phase of the frontmatter parser. When parsing a .prompty configuration file, the engine scans the frontmatter dictionary for any string properties matching the ${file:path} schema. Upon extraction of the path argument, the resolver constructs an absolute path on the host file system using the directory containing the active .prompty template as its base.

In vulnerable versions of the library, the reconstructed file path was passed directly to standard file-system read utilities without verifying that the resolved path remained a descendant of the prompt's source directory or an authorized boundary. Because the resolver did not assert path containment, characters like relative traversals, absolute drive identifiers, or local symbolic links were expanded literally.

This behavior allowed three exploitation patterns to succeed during the resolution phase. Relative traversals utilizing parent directories reached higher-level system paths. Absolute paths bypassed the template directory tree completely. Symbolic link escapes resolved the link targets to arbitrary system folders, bypassing logical directory sandboxes.

Code Analysis

The fix for this vulnerability focuses on ensuring that any resolved file reference is constrained within a set of allowed directory roots. The default configurations dictate that only the directory containing the loaded .prompty template is considered a valid root.

# Python library fix implementation in prompty/core/loader.py
def _resolve_file_reference(
    agent_file: Path,
    reference: str,
    allowed_file_roots: Sequence[str | Path] | None,
) -> Path:
    """Resolve and validate a ``${file:...}`` reference."""
    # Canonicalize the parent directory of the prompt template
    prompt_root = agent_file.parent.resolve()
    
    # Establish allowed roots combining template directory and optional overrides
    allowed_roots = [prompt_root, *(Path(root).resolve() for root in allowed_file_roots or ())]
 
    candidate = Path(reference)
    if not candidate.is_absolute():
        candidate = prompt_root / candidate
 
    # Resolve symlinks and parent pointers to find the real physical path
    resolved = candidate.resolve()
    
    # Validate that the resolved target lies within one of the approved roots
    if not any(resolved == root or resolved.is_relative_to(root) for root in allowed_roots):
        roots = ", ".join(str(root) for root in allowed_roots)
        raise ValueError(
            f"File reference '{reference}' resolves outside allowed roots for '{agent_file}'. Allowed roots: {roots}"
        )
 
    return resolved

Comparing the vulnerable pattern to the updated logic reveals a transition to robust containment validation. The vulnerable code simply concatenated the relative path without performing .resolve() validation or testing with .is_relative_to(). The updated approach successfully blocks traversal payloads, absolute paths, and symbolic link targets resolving outside the approved boundary.

Exploitation Methodology

Exploitation of CVE-2026-53598 requires that an application ingest and parse a .prompty file containing an attacker-manipulated path. The attack surface typically manifests in platforms where users upload custom prompt configurations or when applications execute dynamic prompts retrieved from user-accessible sources.

An attacker supplies a template containing a payload in the metadata fields such as the description. When the application loads the configuration via load(), the parser extracts the arbitrary path from the reference sequence and reads the resource. The host application subsequently populates the parsed configuration object with the target content, exposing the sensitive data to the attacker through diagnostic logs, execution output, or UI responses.

Impact Assessment

The security impact of this vulnerability is categorized as high-severity confidential data exposure. Successful exploitation allows unauthorized, unauthenticated parties to read arbitrary files stored on the host running the vulnerable application, limited only by the host process's security permissions.

This flaw facilitates the extraction of configuration files, infrastructure-level environment variables, private SSL/TLS certificates, and application-specific secrets. In cloud-deployed applications, reading local configuration or metadata files can expose highly sensitive API tokens, database credentials, or identity access tokens. This level of exposure provides a path for horizontal escalation and broader system compromise.

While the vulnerability is restricted to read-only access and cannot directly manipulate system files or execute code, the extracted information is typically leveraged to execute subsequent attacks. Because no user interaction or authentication is required to trigger the path resolution, the exploitability vector remains simple and direct.

Remediation & Detection Guidance

The primary remediation action requires upgrading all instances of the Microsoft Prompty package to version 2.0.0-beta.2 or newer across all target programming environments. Applications must specify the fixed versions within their respective package management configurations.

If legitimate configuration demands require reference expansion outside the prompt template directory, developers must explicitly define the approved directories during loading operations. The application API allows passing the optional allowed roots parameter to prevent throwing validation exceptions.

# Safe Python loading pattern with customized directory roots
from prompty import load
from pathlib import Path
 
# Safely load the prompt and limit traversal strictly to authorized paths
prompt = load(
    "prompts/chat.prompty",
    allowed_file_roots=[Path("/var/app/shared-templates")]
)

Where immediate package updates are not possible, temporary mitigations include establishing strict validation rules at the application layer to verify .prompty files before loader ingestion. Restricting directory write privileges for the application's runtime process also limits the files exposed in a traversal attack.

Official Patches

MicrosoftMicrosoft Prompty Security Advisory GHSA-wxhm-2mq7-7697

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Probability
1.06%
Top 39% most exploited

Affected Systems

Microsoft Prompty Python Loader (prompty)Microsoft Prompty C# Loader (Prompty.Core)Microsoft Prompty TypeScript Loader (@prompty/core)Microsoft Prompty Rust Loader (prompty)

Affected Versions Detail

Product
Affected Versions
Fixed Version
prompty (Python)
Microsoft
< 2.0.0b22.0.0b2
Prompty.Core (C#)
Microsoft
< 2.0.0-beta.22.0.0-beta.2
@prompty/core (Node.js)
Microsoft
< 2.0.0-beta.22.0.0-beta.2
prompty (Rust)
Microsoft
< 2.0.0-beta.22.0.0-beta.2
AttributeDetail
CWE IDCWE-22 / CWE-200
Attack VectorNetwork (AV:N)
CVSS v3.17.5 (High)
EPSS Score1.057% (60.65th percentile)
Exploit StatusProof-of-Concept (PoC) Available
ImpactArbitrary File Read (Confidentiality: High)
CISA KEVNot Listed

MITRE ATT&CK Mapping

T1083File and Directory Discovery
Discovery
T1005Data from Local System
Collection
T1552Unsecured Credentials
Credential Access
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as '..' that can resolve to a location outside of the restricted directory.

Known Exploits & Detection

GitHub Fix Commit TestsThe patch tests include complete replication scenarios demonstrating absolute path, symlink, and relative path escape failures.

Vulnerability Timeline

Fix commits pushed to the Microsoft Prompty repository
2026-06-06
Security Advisory GHSA-wxhm-2mq7-7697 published
2026-07-16
CVE-2026-53598 officially assigned and published
2026-07-16
NVD entry finalized and CVSS scores established
2026-07-17

References & Sources

  • [1]GitHub Security Advisory GHSA-wxhm-2mq7-7697
  • [2]Microsoft Prompty Fix Commit 88ac9948
  • [3]NVD - CVE-2026-53598 Detail
  • [4]CVE.org Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•25 minutes ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
0 views•6 min read
•about 2 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
3 views•7 min read
•about 6 hours ago•GHSA-8QQM-FP2Q-V734
8.2

GHSA-8QQM-FP2Q-V734: Authorization Bypass in Skipper's Open Policy Agent Integration

An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 8 hours ago•CVE-2026-53597
8.7

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Amit Schendel
Amit Schendel
8 views•6 min read
•about 9 hours ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
8 views•7 min read
•about 10 hours ago•CVE-2026-55646
6.5

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Alon Barad
Alon Barad
8 views•5 min read