CVE-2026-47119 3clyp50 CVE debrief

Who should care

Organizations running Agent Zero versions prior to 1.15, particularly those with multi-user deployments where filesystem access controls may be insufficiently restrictive. Security teams should prioritize this if the application handles sensitive operations via API calls protected only by csrf_token.

Technical summary

The image_get endpoint in Agent Zero fails to set security headers when serving files, allowing SVG files with embedded JavaScript to execute in the browser. The vulnerability requires the attacker to have filesystem access to place the malicious SVG, and requires social engineering to lure an authenticated victim to the crafted URL. Successful exploitation yields same-origin script execution, enabling theft of the csrf_token cookie and subsequent authenticated API abuse. The fix adds proper header configuration to prevent MIME-type sniffing and inline script execution.

Defensive priority

medium

Recommended defensive actions

• Upgrade to Agent Zero version 1.15 or later which includes the security header fix
• If immediate upgrade is not possible, implement a reverse proxy or WAF rule to inject Content-Security-Policy, X-Content-Type-Options: nosniff, and Content-Disposition: attachment headers on responses from the image_get
• Review filesystem permissions to restrict write access to paths readable by the agent-zero process
• Monitor for unauthorized API calls that may indicate successful exploitation
• Audit access logs for requests to image_get endpoint with SVG file extensions from unexpected referrers

Evidence notes

Vulnerability confirmed through Vulncheck advisory and GitHub issue #1609. Fix commit 1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e addresses header configuration. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring user interaction but no privileges. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as primary weakness.

Official resources