Executive Summary

CVE-2026-39981 is a path traversal vulnerability in the safe_join() function of the essential_abilities extension in AGiXT versions prior to 1.9.2. The function fails to properly validate that file paths remain within the designated agent workspace directory. This flaw allows an authenticated attacker with a valid API key to use directory traversal sequences (like "../../") to read, write, or delete arbitrary files on the server hosting the AGiXT instance.

Technically, the vulnerability arises because the function uses os.path.normpath and os.path.join without sufficient checks, allowing attackers to escape the intended directory. A proof-of-concept involves sending a specially crafted API request to read sensitive files outside the workspace.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized reading, modification, or deletion of arbitrary files on the server hosting AGiXT. An attacker can steal credentials, inject malicious code for persistent execution, or cause denial of service by deleting critical files.

The vulnerability requires only a valid API key for exploitation and does not require elevated privileges, making it easier for attackers with limited access to cause significant damage.

The CVSS v3.1 base score is 8.8 (High), reflecting high confidentiality, integrity, and availability impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal flaw in the safe_join() function via the AGiXT API. Specifically, sending a crafted POST request to the API endpoint `/api/agent/MyAgent/command` with a payload that includes directory traversal sequences (e.g., "../../etc/passwd") in the filename parameter can reveal unauthorized file access.

A proof-of-concept detection command involves using a POST request to the AGiXT API to invoke the "read_file" command with a filename containing path traversal sequences. If the server responds with the contents of files outside the designated workspace, the vulnerability is present.

• Example curl command to test for the vulnerability: curl -X POST https://<agixt-server>/api/agent/MyAgent/command \ -H 'Authorization: Bearer <valid_api_key>' \ -H 'Content-Type: application/json' \ -d '{"command": "read_file", "filename": "../../etc/passwd"}'

Successful retrieval of sensitive files like /etc/passwd indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade AGiXT to version 1.9.2 or later, where the vulnerability has been fixed.

The fix involves an improved safe_join() function that uses realpath resolution and strict path validation to prevent directory traversal outside the agent workspace.

• Upgrade AGiXT to version 1.9.2 by following the official release instructions.
• If upgrading immediately is not possible, restrict access to the AGiXT API to trusted users only, ensuring that only authenticated users with valid API keys can access it.
• Monitor and audit API usage for suspicious commands involving file operations.

Applying the official patch or upgrade is the most effective and recommended mitigation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated attacker to read, write, or delete arbitrary files on the server hosting the AGiXT instance by exploiting directory traversal sequences. This unauthorized file access can lead to credential theft, persistent code execution, or denial of service.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability. Exposure or manipulation of sensitive data due to this vulnerability could result in violations of these regulations.

Useful 0 Not Useful 0