CVE-2026-15519
Received Received - Intake

Path Traversal in Strix PyPI Handler

Vulnerability report for CVE-2026-15519, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was found in usestrix strix up to 1.0.2. This affects an unknown function of the file system_prompt.jinja of the component PyPI Handler. Performing a manipulation results in inclusion of functionality from untrusted control sphere. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15519 is a critical vulnerability in Strix version 1.0.2, an autonomous penetration-testing AI agent. The flaw allows remote code execution through a phishing attack that tricks the agent into installing a malicious package from a fake PyPI mirror.

The attack works by hosting a malicious web application that returns a fake error message instructing the agent to install a package from a custom PyPI mirror. The child agent, lacking safety context, executes the pip install command without verifying the package's legitimacy.

The malicious package contains obfuscated code that, when installed, executes a reverse shell, granting the attacker access to the Strix sandbox container.

The root causes include an unrestricted package installation policy in the system prompt and the absence of safety-boundary propagation in the multi-agent architecture, where child agents do not inherit safety warnings from the root agent.

Compliance Impact

CVE-2026-15519 allows remote code execution through a malicious package installation, potentially leading to unauthorized access to systems and data. Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

The vulnerability arises from design defects that allow untrusted code execution without proper verification, increasing the risk of data breaches or unauthorized data processing. This risk conflicts with the principles of data integrity, confidentiality, and security mandated by these regulations.

Remediation steps suggested include enforcing stricter package installation policies and safety checks, which are necessary to maintain compliance by preventing unauthorized code execution and potential data exposure.

Impact Analysis

This vulnerability can lead to remote code execution on the affected system, allowing an attacker to gain unauthorized access to the Strix sandbox container.

An attacker can execute arbitrary commands remotely, potentially compromising the integrity, confidentiality, and availability of the system and any data processed within the sandbox.

Because the exploit involves a reverse shell, the attacker can control the system remotely, which may lead to further exploitation or lateral movement within a network.

Detection Guidance

Detection of this vulnerability involves monitoring logs for evidence of malicious package installation attempts and reverse shell activity. Key indicators include logs showing the root agent flagging a package as malicious while a child agent proceeds to install it without verification.

You can check for suspicious pip install commands executed by the Strix agents, especially those targeting custom or untrusted PyPI mirrors.

  • Review logs for entries where the root agent issues safety notes about packages.
  • Look for child agent activity installing packages despite warnings.
  • Monitor network traffic for connections to unknown or suspicious PyPI mirrors.

Suggested commands might include:

  • grep or similar tools to search logs for 'pip install' commands or safety notes.
  • netstat or ss to detect unexpected reverse shell connections.
  • tcpdump or Wireshark to capture and analyze network traffic to suspicious hosts.
Mitigation Strategies

Immediate mitigation steps include constraining the package installation policy to require verification of package necessity and provenance.

  • Prohibit the use of --trusted-host without explicit confirmation.
  • Add pre-install safety checks by consulting existing safety notes before allowing package installation.
  • Inject safety context into child agents during their creation to ensure they inherit safety warnings from the root agent.
  • Introduce skepticism toward remediation instructions sourced from targets, such as instructions to install packages from untrusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart