Executive Summary

CVE-2026-4964 is a security vulnerability in the Letta AI platform (version 0.16.4 and earlier) involving Server-Side Request Forgery (SSRF) and arbitrary file read issues.

The flaw exists in the function _convert_message_create_to_message within the message_helper.py file, specifically in how it processes image URLs starting with the file:// scheme.

When a user sends a message containing an image URL with a file:// path, the server opens and reads the specified file directly without validating the URL scheme, allowing unauthorized access to any file on the server.

This vulnerability arises because a prior fix that validated URL schemes was applied to a different code path but not to this image URL processing path, leaving this attack vector open.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated API user to read arbitrary files on the Letta server.

• Access to sensitive files such as environment variables containing secrets like API keys and database passwords.
• Exposure of system files like /etc/passwd.
• Reading application source code and configuration files.

This constitutes a privilege escalation from normal message sending to unauthorized server filesystem access, risking exposure of all server-level secrets to any user with API access.

The vulnerability affects multi-tenant and cloud deployments, increasing the risk of widespread data exposure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for messages or API requests that include image URLs with the scheme "file://", which trigger server-side file reads.

A practical detection method is to check server logs for errors such as FileNotFoundError or HTTP 502 errors that occur when the server attempts to read local files specified by these URLs.

You can also attempt a controlled test by sending a message with an image URL set to a known local file path, for example, "file:///etc/passwd", and observe if the server reads and processes the file content.

• Use network monitoring tools to filter API requests containing "file://" URLs.
• Check application logs for errors related to file access triggered by image URLs.
• Example command to search logs for file URL usage: `grep -r "file://" /path/to/letta/logs`
• Example command to test the vulnerability via API (replace with actual API call): `curl -X POST https://your-letta-instance/api/messages -d '{"image_url":"file:///etc/passwd"}'`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or blocking any image URLs with the "file://" scheme from being processed by the server.

Since no patched versions are available at the time of the report, you should implement input validation or filtering to reject or sanitize image URLs before they reach the vulnerable function.

Additionally, monitor and audit API usage to detect and block suspicious requests attempting to exploit this vulnerability.

Consider isolating the Letta AI service with strict filesystem permissions to limit the impact of arbitrary file reads.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-4964 vulnerability allows authenticated users to read arbitrary files on the server, including sensitive environment variables, credentials, application source code, and configuration files.

This unauthorized access to sensitive data can lead to exposure of personal data or protected health information, which may violate data protection regulations such as GDPR and HIPAA.

Because the vulnerability enables privilege escalation and unauthorized data disclosure in multi-tenant and cloud deployments, it poses a significant risk to compliance with standards requiring confidentiality, integrity, and protection of sensitive information.

Useful 0 Not Useful 0