CVE-2026-29870
Directory Traversal in agentic-context-engine Allows Arbitrary File Write
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentic-context-engine | agentic-context-engine | to 0.7.1 (inc) |
| lilmingwa13 | agentic-context-engine | to 0.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This directory traversal vulnerability allows attackers to overwrite arbitrary files accessible to the application process, potentially leading to application corruption, privilege escalation, or code execution.
Such unauthorized file writes and potential data manipulation can compromise the confidentiality, integrity, and availability of sensitive data handled by the application.
Consequently, this vulnerability could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information from unauthorized access or alteration.
Specifically, if sensitive data or configuration files are overwritten or exposed due to this vulnerability, it may result in breaches of data protection obligations mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-29870 is a directory traversal vulnerability in the agentic-context-engine project (versions up to 0.7.1) that allows attackers to write files outside the intended checkpoint directory.
The vulnerability occurs because the save_to_file method in ace/skillbook.py does not normalize or validate filesystem paths. This allows traversal sequences like "../" to escape the designated checkpoint directory when specifying the checkpoint_dir parameter in OfflineACE.run.
As a result, an attacker who can control or influence the checkpoint_dir parameter can cause the application to write or overwrite arbitrary files accessible to the application process, breaking the intended directory boundary.
How can this vulnerability impact me? :
This vulnerability can lead to several serious impacts depending on the deployment context.
- Unintended file writes and overwrites outside the intended checkpoint directory.
- Potential application corruption by overwriting important files.
- Overwriting sensitive configuration files such as .env files.
- Possible privilege escalation or code execution if overwritten files are later processed or imported by the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if files are being written outside the intended checkpoint directory due to directory traversal sequences in the checkpoint_dir parameter.
Since the vulnerability involves arbitrary file writes via path traversal, you can monitor or audit file creation and modification events outside the expected checkpoint directory.
You can use commands to find unexpected files created outside the checkpoint directory, for example:
- Use find to locate files named like ace_latest.json or ace_checkpoint_*.json outside the expected directory: find /path/to/base -type f \( -name "ace_latest.json" -o -name "ace_checkpoint_*.json" \) ! -path "/path/to/base/checkpoints/*"
- Use auditd or inotifywait to monitor file writes outside the checkpoint directory.
- Check application logs or API parameters for suspicious or unexpected values of checkpoint_dir containing traversal sequences like "../".
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include normalizing and validating the checkpoint_dir parameter to prevent directory traversal.
Specifically, ensure that the application uses path normalization methods such as Path.resolve() and enforces that the resolved path remains within the intended base directory (e.g., using is_relative_to()).
Additionally, sanitize inputs to reject traversal sequences like "../" or restrict checkpoint_dir to safe subdirectories.
If possible, update the agentic-context-engine project to a version that includes these fixes or apply patches that implement these validations.
As a temporary measure, monitor and restrict user input controlling checkpoint_dir to trusted sources only.