CVE-2026-53535
Received Received - Intake

Path Traversal in Activepieces Git-Sync Feature

Vulnerability report for CVE-2026-53535, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Activepieces is an open source AI workflow automation platform. Prior to 0.82.0, the git-sync feature clones a user-configured Git repository into a temporary directory on the server and then writes flow, table, and connection state into it before pushing back, and two separate weaknesses allowed those writes to escape the intended workspace and land on arbitrary paths on the host filesystem: Git's symbolic-link handling was not disabled on the clone, so an attacker who controlled the remote repository could include symlinks that redirected the writes, and several user-supplied identifiers used to build on-disk paths (the repository slug and the externalId of tables, flows, and connections) were not validated against directory-traversal sequences such as ../. On a self-hosted Enterprise Edition deployment, a user authorized to configure or push to a git-sync repository (holding the WRITE_PROJECT_RELEASE permission) could cause the server to overwrite files anywhere the Activepieces process user can write, which depending on host layout can be leveraged for tampering, denial of service, or remote code execution. This issue is fixed in version 0.82.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
activepieces activepieces to 0.82.0 (exc)
activepieces activepieces 0.82.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Activepieces (versions prior to 0.82.0) allows authenticated users with specific privileges to write files outside the intended workspace using path traversal and symlink manipulation. Attackers can exploit symbolic links or directory traversal sequences in user-supplied identifiers like repository slugs or table/flow external IDs to overwrite arbitrary files on the host filesystem.

Detection Guidance

Check Activepieces version with: curl -s http://<host>:<port>/api/v1/health | grep version. If version is below 0.82.0, the system is vulnerable. Inspect git-sync repository configurations for suspicious repository slugs or external IDs containing ../ or symlink patterns. Review file system writes outside intended directories.

Commands: 1) docker exec <container> npm list activepieces (for Docker). 2) grep -r "git-sync" /path/to/activepieces/config. 3) ls -la /tmp/activepieces-git-sync* (check temp directories).

Impact Analysis

An attacker could overwrite critical system files, leading to tampering, denial of service, or remote code execution depending on the permissions of the Activepieces process user. This requires the attacker to have WRITE_PROJECT_RELEASE permission to register a Git repository or create git-synced tables/flows.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by allowing unauthorized file writes on the host system. If exploited, it may enable tampering with sensitive data, denial of service, or remote code execution, depending on the Activepieces process user's permissions. Such unauthorized access could lead to violations of data integrity, confidentiality, or availability requirements under these regulations.

Mitigation Strategies

Upgrade Activepieces to version 0.82.0 or later immediately. Disable git-sync feature if not required. Restrict WRITE_PROJECT_RELEASE permission to trusted users only. Audit all git-sync repositories for malicious repository slugs or external IDs. Run Activepieces service with minimal filesystem permissions.

Temporary mitigation: Set core.symlinks to false in Git config and block file:// protocol in Git URLs. Monitor for unauthorized file writes or system changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart