CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-5GFJ-64GH-MGMW

GHSA-5gfj-64gh-mgmw: Path Traversal in AGiXT Essential Abilities Extension

Alon Barad
Alon Barad
Software Engineer

Apr 9, 2026·7 min read·21 visits

Executive Summary (TL;DR)

Authenticated path traversal in AGiXT < 1.9.2 allows users to escape agent workspaces and access the host filesystem, resulting in arbitrary file read, write, and delete capabilities.

A path traversal vulnerability exists in the safe_join() function of the essential_abilities extension in AGiXT prior to version 1.9.2. An authenticated attacker can exploit this flaw to read, write, or delete arbitrary files on the host system, bypassing intended agent workspace restrictions.

Vulnerability Overview

AGiXT is an AI agent automation platform that utilizes an extension system to grant capabilities to designated agents. One core extension is essential_abilities, which handles fundamental agent interactions with the local environment, including reading, writing, modifying, and deleting files. To ensure security, these file operations are intended to be strictly sandboxed within a dedicated workspace directory for each agent.

A path traversal vulnerability (CWE-22) exists within the path resolution logic of this extension, specifically inside the safe_join() function. This function fails to adequately restrict user-supplied paths to the bounds of the intended workspace directory. By injecting directory traversal sequences into file manipulation commands, an attacker can coerce the application into operating on files outside the sandbox.

The vulnerability affects all versions of the agixt PyPI package prior to version 1.9.2. Because the agent file operations include write and delete capabilities, the impact extends beyond mere information disclosure. Successful exploitation compromises the confidentiality, integrity, and availability of the host system.

Exploitation requires the attacker to possess a valid API key to communicate with the AGiXT instance. The attacker must also have sufficient permissions to invoke file-related agent commands via the exposed REST API endpoints. No user interaction or complex exploitation chaining is required to trigger the vulnerability.

Root Cause Analysis

The root cause of this vulnerability lies in the implementation of the safe_join() function within agixt/extensions/essential_abilities.py. The function attempts to construct an absolute path by concatenating the designated workspace directory (self.WORKING_DIRECTORY) with an array of user-supplied path segments. The developer intended to sanitize this input using standard Python path manipulation libraries.

In the vulnerable implementation, the function relies on os.path.normpath and os.path.join to construct the final file path. The relevant code evaluates os.path.normpath(os.path.join(self.WORKING_DIRECTORY, *paths.split("/"))). While os.path.normpath collapses redundant separators and resolves up-level references (../), it does not inherently restrict the final resolved path to a specific prefix directory.

When a user supplies a payload containing sufficient ../ sequences, os.path.normpath resolves the path entirely outside of self.WORKING_DIRECTORY. Because the function subsequently returns this normalized path without validating that it remains a child of the workspace directory, the application implicitly trusts the malicious path. Any calling function utilizing safe_join() will then perform file I/O operations on the attacker-controlled location.

The vulnerability flow begins at the API edge. The agixt/endpoints/Extension.py endpoint accepts user-supplied JSON containing command_args. This payload is routed through the main execution engine in agixt/XT.py to the target extension. Once the essential_abilities extension receives the payload, it invokes safe_join() with the malicious filename argument, executing the filesystem operation out-of-bounds.

Code Analysis

Analyzing the vulnerable implementation reveals a fundamental misunderstanding of Python's os.path module constraints. The following snippet illustrates the flawed logic present in versions prior to 1.9.2.

# Vulnerable implementation in essential_abilities.py
def safe_join(self, paths) -> str:
    # Normalization occurs, but boundary enforcement is absent
    new_path = os.path.normpath(os.path.join(self.WORKING_DIRECTORY, *paths.split("/")))
    return new_path

If self.WORKING_DIRECTORY is /opt/agixt/workspace/ and the user provides ../../etc/passwd, os.path.join creates /opt/agixt/workspace/../../etc/passwd. The os.path.normpath function then evaluates the ../ directives, resolving the path to /opt/etc/passwd or /etc/passwd depending on the directory depth. The function blindly returns this escaped path.

The patch introduced in version 1.9.2 addresses this by employing absolute path resolution alongside rigorous prefix validation. The updated code resolves both the intended base directory and the user-requested path to their absolute canonical forms using os.path.realpath.

# Patched implementation in essential_abilities.py (v1.9.2)
def safe_join(self, paths) -> str:
    # Determine the canonical absolute path of the workspace
    base = os.path.realpath(self.WORKING_DIRECTORY)
    
    # Determine the canonical absolute path of the requested file
    new_path = os.path.realpath(
        os.path.normpath(os.path.join(self.WORKING_DIRECTORY, *paths.split("/")))
    )
    
    # CRITICAL FIX: Verify the resolved path remains inside the workspace boundary
    if not (new_path.startswith(base + os.sep) or new_path == base):
        raise PermissionError(
            f"Path traversal detected: refusing to access path outside workspace"
        )
    
    return new_path

This remediation strategy is robust. By invoking os.path.realpath, symlinks and all relative path sequences are fully expanded before validation. The strict .startswith(base + os.sep) check guarantees that the requested file resides completely within the directory tree of the designated workspace, neutralizing the traversal primitive entirely.

Exploitation

Exploiting this vulnerability requires network access to the AGiXT instance and a valid API token. The attacker leverages the /api/agent/{agent_name}/command endpoint to invoke built-in extensions. Specifically, the attacker targets commands that invoke the vulnerable safe_join() function, such as read_file, write_to_file, modify_file, and delete_file.

The HTTP request consists of a standard POST request with a JSON body defining the command name and its arguments. The attacker injects the directory traversal payload directly into the filename argument. The depth of the traversal sequence (../) must be sufficient to escape the agent's workspace directory and reach the filesystem root.

Upon processing the request, the application backend resolves the malicious path and performs the requested operation. In a file read scenario, the application returns the contents of the target file in the JSON response payload. The following Python script serves as a proof-of-concept for retrieving /etc/passwd from an affected instance.

import requests
 
BASE = "http://localhost:7437"
TOKEN = "<your_api_key>"
 
headers = {"Authorization": f"Bearer {TOKEN}"}
 
payload = {
    "command_name": "read_file",
    "command_args": {
        "filename": "../../../../../../../etc/passwd"
    }
}
 
r = requests.post(f"{BASE}/api/agent/MyAgent/command", json=payload, headers=headers)
print(r.text)

This exploitation methodology is highly reliable and does not depend on memory corruption or race conditions. The API response will contain the raw text of the target file, confirming successful exploitation. To escalate the attack, an adversary could modify the payload to target write_to_file, supplying a malicious cron job or SSH key in the command arguments.

Impact Assessment

The impact of this vulnerability is severe, meriting a CVSS 3.1 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The primary consequence is total loss of filesystem boundaries for the authenticated user. The attacker gains the same file access permissions as the underlying operating system user executing the AGiXT process.

The confidentiality impact is High. Attackers can read arbitrary files on the host, including sensitive environment variables, platform configuration files, database credentials, and cryptographic keys. Accessing files such as /etc/shadow or .ssh/id_rsa can immediately compromise the host system and adjacent infrastructure.

The integrity and availability impacts are also High due to the vulnerability affecting file write and delete operations. An attacker can overwrite existing system files, delete crucial application dependencies, or corrupt databases stored on disk. This allows for trivial denial-of-service against the application or the underlying system.

Furthermore, the write capability provides a direct path to Remote Code Execution (RCE). By writing executable files to critical locations (e.g., cron directories, .ssh/authorized_keys, or overwriting Python files in the application's site-packages), an attacker can achieve persistent, arbitrary code execution on the host server.

Remediation and Detection

The most effective remediation is to upgrade the agixt package to version 1.9.2 or later. This release contains the patch that fundamentally resolves the vulnerability by introducing proper path canonicalization and prefix verification. Development teams should verify their requirements.txt or pipfile explicitly pins agixt>=1.9.2.

If an immediate upgrade is not possible, network administrators can deploy Web Application Firewall (WAF) rules to detect and block malicious requests targeting the application API. Rules should inspect JSON payloads sent to the /api/agent/*/command endpoints and block requests where the filename parameter contains traversal sequences such as ../, ..\, or URL-encoded variants (..%2f).

Security teams should actively monitor application logs for indicators of compromise. The patch introduced in version 1.9.2 emits a PermissionError containing the string "Path traversal detected". Administrators running patched versions should alert on this exception, as it indicates an active, albeit unsuccessful, exploitation attempt.

To proactively detect vulnerable instances within an organization, security engineers can deploy targeted scanning templates. A custom Nuclei template can be constructed to fuzz the filename argument of the read_file command. The template should authenticate using a known test API key and verify if the response body contains contents indicative of local system files, such as root:x:0:0.

Official Patches

Josh-XTAGiXT Version 1.9.2 Release

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

agixt PyPI packageAGiXT essential_abilities extension

Affected Versions Detail

Product
Affected Versions
Fixed Version
agixt
Josh-XT
< 1.9.21.9.2
AttributeDetail
CWECWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Attack VectorNetwork
CVSS Score8.8 (High)
Privileges RequiredLow (Authenticated)
ImpactArbitrary File Read/Write/Delete
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1083File and Directory Discovery
Discovery
T1059Command and Scripting Interpreter
Execution
CWE-22
Path Traversal

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Known Exploits & Detection

Advisory DetailsPython requests script demonstrating read access to /etc/passwd via read_file command.

Vulnerability Timeline

Vulnerability Disclosed and GitHub Security Advisory Published
2024-04-08
Version 1.9.2 Released with Patch
2024-04-08

References & Sources

  • [1]GitHub Advisory Database: GHSA-5gfj-64gh-mgmw
  • [2]AGiXT Repository Security Advisory
  • [3]OSV Record for GHSA-5gfj-64gh-mgmw
  • [4]AGiXT GitHub Repository
  • [5]AGiXT v1.9.2 Release Notes

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 5 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
6 views•5 min read
•about 6 hours ago•GHSA-CWV4-H3J5-W3CF
3.7

GHSA-CWV4-H3J5-W3CF: Stored and Reflected Cross-Site Scripting in rama's Directory Listing Component

A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.

Alon Barad
Alon Barad
5 views•7 min read
•about 6 hours ago•GHSA-Q855-8RH5-JFGQ
6.5

GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.

Amit Schendel
Amit Schendel
5 views•8 min read
•about 7 hours ago•GHSA-F66Q-9RF6-8795
5.3

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

Amit Schendel
Amit Schendel
6 views•5 min read
•about 7 hours ago•CVE-2026-50127
5.9

CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate

A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.

Alon Barad
Alon Barad
7 views•6 min read
•about 8 hours ago•GHSA-P2FR-6HMX-4528
6.4

GHSA-p2fr-6hmx-4528: Unbound Resource Indicators Allow Cross-Audience Access Token Escalation in @better-auth/oauth-provider

A security vulnerability in @better-auth/oauth-provider allows OAuth clients to obtain access tokens for unauthorized audiences due to unbound resource indicators. The implementation fails to bind the requested target resource to the initial authorization grant. Consequently, a client can request an access token targeting any resource server within the global allowlist, bypassing user consent boundaries.

Alon Barad
Alon Barad
5 views•6 min read