Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4307 is a path traversal vulnerability found in the Agent Zero software version 0.9.7-10, specifically in the function get_abs_path located in python/helpers/files.py. The vulnerability occurs because the function uses Python's os.path.join() to combine a base directory with user-supplied file paths without properly validating them. When an absolute path is provided by an attacker, os.path.join() discards the base directory and returns the absolute path, allowing the attacker to access files outside the intended workspace directory."}, {'type': 'paragraph', 'content': 'This flaw enables an attacker to remotely read arbitrary files on the server by sending specially crafted requests to the /download_work_dir_file API endpoint with a path parameter pointing to sensitive files such as /etc/passwd or /a0/.env. The vulnerability arises from improper sanitization of external input used to construct file paths, classified under CWE-22 (Path Traversal).'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to read arbitrary files on the affected system remotely, which can lead to exposure of sensitive information such as user account details, password hashes, SSH private keys, cloud credentials, API keys, and application secrets stored in environment files.

Attackers can exploit this flaw to perform user enumeration, steal credentials, and potentially move laterally within cloud environments. Additionally, if attackers obtain leaked tokens like A0_PERSISTENT_RUNTIME_ID from exposed files, they may bypass authentication mechanisms and achieve remote code execution, leading to full system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the path traversal flaw in the /download_work_dir_file API endpoint of Agent Zero. Specifically, you can test if the application improperly allows access to arbitrary files by sending crafted HTTP GET requests with absolute file paths.'}, {'type': 'list_item', 'content': 'Run Agent Zero via Docker: docker run -d -p 50001:80 agent0ai/agent-zero:latest'}, {'type': 'list_item', 'content': 'Obtain a CSRF token with: curl -s -c /tmp/cookies.txt "http://localhost:50001/csrf_token"'}, {'type': 'list_item', 'content': 'Use the token to attempt reading sensitive files, for example: curl -s -b /tmp/cookies.txt -H "X-CSRF-Token: $TOKEN" "http://localhost:50001/download_work_dir_file?path=/etc/passwd"'}, {'type': 'list_item', 'content': 'Similarly, try accessing other sensitive files like /a0/.env to confirm vulnerability.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no official patches or vendor mitigations are available for this vulnerability. Immediate mitigation steps include:

• Restrict access to the vulnerable API endpoint /download_work_dir_file to trusted users or networks.
• Disable or restrict authentication if it is disabled by default, to prevent unauthorized access.
• Consider replacing the affected component (Agent Zero version 0.9.7-10) with an alternative product that does not have this vulnerability.
• Implement custom validation to ensure that file paths supplied to the application do not allow path traversal, for example by verifying that resolved paths remain within the intended base directory.

Useful 0 Not Useful 0