CVE-2026-59807
Received Received - Intake

Path Validation Bypass in Composio SDK

Vulnerability report for CVE-2026-59807, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt injection to manipulate file_uploadable parameters to reference sensitive paths such as SSH private keys, causing the CLI to upload credential files to attacker-controlled storage.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
composio sdk to 0.2.32-beta.283 (exc)
composio cli to 0.2.32-beta.283 (exc)
composio core to 0.2.32-beta.283 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59807 is a path validation bypass vulnerability in the Composio SDK before version 0.2.32-beta.283. It occurs because the CLI's file upload functionality does not properly enforce a sensitive-file denylist check in the readFileFromDisk function. This missing check allows attackers to exploit prompt injection to manipulate file upload parameters and reference sensitive local file paths, such as SSH private keys or AWS credentials.

As a result, attackers can trick the CLI into reading and uploading these sensitive files to attacker-controlled storage, enabling credential exfiltration. The vulnerability arises because the denylist was enforced only at the caller layer and not at the lowest-level file read primitive, allowing bypass via certain tool arguments.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files from your system, such as SSH private keys, AWS credentials, environment files, and other confidential data. Attackers can exploit prompt injection attacks to cause the CLI to upload these files to attacker-controlled endpoints.

The impact includes credential theft, unauthorized access to systems and cloud resources, and potential compromise of your infrastructure or data. Since the vulnerability allows reading any local file specified in tool arguments, it poses a significant security risk in automated or agentic workflows.

Detection Guidance

This vulnerability involves the Composio CLI tool's file-upload functionality bypassing a sensitive-file denylist, allowing attackers to exfiltrate sensitive files by manipulating file_uploadable parameters. Detection involves monitoring for unusual or unauthorized file upload activities, especially those referencing sensitive paths such as ~/.ssh/id_rsa, ~/.aws/credentials, or .env files.

Since the vulnerability can be exploited via agentic workflows using commands like `composio execute` or `composio run`, monitoring the usage of these commands with suspicious file upload arguments is critical.

Suggested detection commands or approaches include:

  • Audit logs for `composio execute` or `composio run` commands that include file_uploadable parameters pointing to sensitive file paths.
  • Use file system monitoring tools to detect reads of sensitive files by the Composio CLI process.
  • Network monitoring to detect unexpected uploads or network connections from the CLI to external or attacker-controlled storage endpoints.
  • Example command to check running processes or recent commands involving composio CLI with suspicious file paths (adjust for your environment):
  • grep -rE '\.ssh/id_rsa|\.aws/credentials|\.env' ~/.bash_history /var/log/auth.log
  • Use system auditing tools like auditd to track file reads on sensitive files by the composio CLI binary.
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the Composio CLI and SDK to version 0.2.32-beta.283 or later, where the vulnerability has been fixed by enforcing a sensitive-file denylist at the lowest-level file read primitive.

The fix includes the addition of the `assertSafeFileUploadPath` guard in the CLI's `readFileFromDisk` function, preventing unauthorized file uploads of sensitive files such as SSH keys, AWS credentials, and environment files.

Additional mitigation steps include:

  • Review and restrict agentic workflows or automated scripts that use the Composio CLI, especially those that accept file_uploadable parameters.
  • Monitor and audit usage of the CLI commands `composio execute` and `composio run` to detect and prevent prompt injection or unauthorized file uploads.
  • Apply network controls to limit the CLI's ability to upload files to untrusted or external storage endpoints.
  • Implement regression tests or validation checks in your deployment pipeline to ensure the denylist guard is active and effective.
Compliance Impact

The vulnerability in Composio SDK and CLI allows attackers to exfiltrate sensitive files such as SSH private keys, AWS credentials, and environment files by bypassing path validation and sensitive-file denylist checks.

This unauthorized access and exfiltration of sensitive credential files could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of sensitive data.

Specifically, the ability for attackers to manipulate file upload parameters and extract sensitive files to attacker-controlled storage increases the risk of data breaches, which are subject to mandatory reporting and compliance requirements under these regulations.

Therefore, organizations using affected versions of Composio SDK or CLI may face compliance risks if this vulnerability is exploited, as it undermines the security controls intended to protect sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart