CVE-2026-5595
Path Traversal in griptape-ai FileManagerTool Enables Remote Exploit
Publication date: 2026-04-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| griptape-ai | griptape | 0.19.4 |
| griptape-ai | griptape | to 1.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict path sanitization and validation in the FileManagerTool component.
- Use os.path.basename() to remove directory components if only flat directory access is intended.
- Resolve absolute paths with os.path.abspath() and ensure they reside within the intended working directory by using checks like os.path.commonpath or verifying that the path starts with the working directory path.
These mitigations prevent path traversal by ensuring that user-supplied paths cannot escape the designated directory.
Can you explain this vulnerability to me?
CVE-2026-5595 is a path traversal vulnerability in the FileManagerTool component of griptape-ai griptape version 0.19.4 and earlier. The vulnerability arises because the tool fails to properly sanitize file paths provided by the language model (LLM). It concatenates these paths directly with the working directory without validation, allowing an attacker to manipulate the file path using sequences like "../" to access files and directories outside the intended scope.
- An attacker can read arbitrary files on the system, such as /etc/passwd.
- An attacker can list arbitrary directories.
- An attacker can write to arbitrary files, potentially modifying or creating files.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including full read and write access to the host filesystem with the privileges of the Griptape agent user.
- Information disclosure by reading sensitive files such as SSH keys and credentials.
- Potential remote code execution by writing to files like ~/.bashrc or __init__.py.
- System compromise through modification or deletion of critical system files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Griptape FileManagerTool component improperly handles file paths that include path traversal sequences such as "../". One way to detect exploitation attempts is to monitor logs or inputs for Base64-encoded strings that decode to path traversal patterns.
You can also test the system by attempting to invoke the vulnerable functions with crafted inputs that include path traversal sequences to see if arbitrary files can be read or written.
Example commands to detect the vulnerability might include sending requests or commands to the Griptape agent that attempt to read sensitive files like /etc/passwd by encoding the path traversal string in Base64 and observing if the file contents are returned.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to read and write arbitrary files on the host filesystem, potentially exposing sensitive information such as SSH keys and credentials.
This exposure of sensitive data and potential system compromise can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to unauthorized disclosure or alteration of protected data.