CVE-2026-39981
Directory Traversal in AGiXT safe_join() Allows Arbitrary File Access
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agixt | agixt | to 1.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39981 is a path traversal vulnerability in the safe_join() function of the essential_abilities extension in AGiXT versions prior to 1.9.2. The function fails to properly validate that file paths remain within the designated agent workspace directory. This flaw allows an authenticated attacker with a valid API key to use directory traversal sequences (like "../../") to read, write, or delete arbitrary files on the server hosting the AGiXT instance.
Technically, the vulnerability arises because the function uses os.path.normpath and os.path.join without sufficient checks, allowing attackers to escape the intended directory. A proof-of-concept involves sending a specially crafted API request to read sensitive files outside the workspace.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized reading, modification, or deletion of arbitrary files on the server hosting AGiXT. An attacker can steal credentials, inject malicious code for persistent execution, or cause denial of service by deleting critical files.
The vulnerability requires only a valid API key for exploitation and does not require elevated privileges, making it easier for attackers with limited access to cause significant damage.
The CVSS v3.1 base score is 8.8 (High), reflecting high confidentiality, integrity, and availability impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal flaw in the safe_join() function via the AGiXT API. Specifically, sending a crafted POST request to the API endpoint `/api/agent/MyAgent/command` with a payload that includes directory traversal sequences (e.g., "../../etc/passwd") in the filename parameter can reveal unauthorized file access.
A proof-of-concept detection command involves using a POST request to the AGiXT API to invoke the "read_file" command with a filename containing path traversal sequences. If the server responds with the contents of files outside the designated workspace, the vulnerability is present.
- Example curl command to test for the vulnerability: curl -X POST https://<agixt-server>/api/agent/MyAgent/command \ -H 'Authorization: Bearer <valid_api_key>' \ -H 'Content-Type: application/json' \ -d '{"command": "read_file", "filename": "../../etc/passwd"}'
Successful retrieval of sensitive files like /etc/passwd indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade AGiXT to version 1.9.2 or later, where the vulnerability has been fixed.
The fix involves an improved safe_join() function that uses realpath resolution and strict path validation to prevent directory traversal outside the agent workspace.
- Upgrade AGiXT to version 1.9.2 by following the official release instructions.
- If upgrading immediately is not possible, restrict access to the AGiXT API to trusted users only, ensuring that only authenticated users with valid API keys can access it.
- Monitor and audit API usage for suspicious commands involving file operations.
Applying the official patch or upgrade is the most effective and recommended mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to read, write, or delete arbitrary files on the server hosting the AGiXT instance by exploiting directory traversal sequences. This unauthorized file access can lead to credential theft, persistent code execution, or denial of service.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability. Exposure or manipulation of sensitive data due to this vulnerability could result in violations of these regulations.