PatchSiren cyber security CVE debrief
CVE-2026-47118 3clyp50 CVE debrief
Agent Zero versions prior to 1.15 contain a path traversal vulnerability in the image file serving endpoint. The endpoint relies on an extension allowlist for security but has its path containment check explicitly disabled. This allows unauthenticated attackers to read arbitrary files readable by the process by supplying crafted paths with permitted image extensions. The vulnerability extends beyond the agent workspace to include user home directories and mounted volumes. Additionally, symlink-based escapes are possible due to missing path canonicalization in the resolution logic. The issue was disclosed on 2026-05-27 and assigned CVSS 4.0 score 7.1 (HIGH). A fix commit is available that addresses the path traversal weakness.
- Vendor
- 3clyp50
- Product
- agent-zero
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Agent Zero versions prior to 1.15, particularly those exposing the application to untrusted networks or hosting sensitive data on accessible file systems. Security teams responsible for AI agent infrastructure and file serving components should prioritize patching.
Technical summary
The vulnerability exists in Agent Zero's image file serving endpoint which uses an extension-based allowlist without proper path validation. The path containment check is explicitly disabled, allowing attackers to traverse outside intended directories using relative path sequences. The lack of path canonicalization enables symlink-based escapes. Attackers can request any file with an allowed image extension that the process has read access to, including sensitive files in user home directories and mounted volumes. The attack requires no authentication and can be performed remotely with low complexity.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Agent Zero to version 1.15 or later which contains the path traversal fix
- Review and enable path containment checks on all file serving endpoints
- Implement proper path canonicalization to prevent symlink-based directory escapes
- Restrict file serving endpoints to a defined chroot or sandboxed directory with strict boundary enforcement
- Audit file system permissions to ensure the process cannot read sensitive files outside intended directories
- Monitor for anomalous file access patterns targeting image endpoints with unusual path structures
- Consider implementing additional access controls or authentication for file serving functionality
Evidence notes
The CVE description and NVD metadata confirm the vulnerability affects Agent Zero before version 1.15. The weakness is classified as CWE-22 (Path Traversal). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact. Source references include a GitHub commit (1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e) representing the fix, a GitHub issue (#1609), and a Vulncheck advisory. The NVD entry shows vulnStatus 'Deferred' as of the modified timestamp.
Official resources
2026-05-27T15:16:30.543Z