PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53535 activepieces CVE debrief

CVE-2026-53535 is a MEDIUM severity vulnerability in Activepieces, an open-source AI workflow automation platform. The git-sync feature clones a user-configured Git repository into a temporary directory on the server. Prior to version 0.82.0, two weaknesses allowed writes to escape the intended workspace and land on arbitrary paths on the host filesystem. An attacker with WRITE_PROJECT_RELEASE permission could cause the server to overwrite files anywhere the Activepieces process user can write, potentially leading to tampering, denial of service, or remote code execution.

Vendor
activepieces
Product
Unknown
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Self-hosted Enterprise Edition deployments of Activepieces are affected. Users with WRITE_PROJECT_RELEASE permission who can configure or push to a git-sync repository are at risk. Administrators and security teams responsible for Activepieces deployments should assess and mitigate this vulnerability.

Technical summary

The vulnerability arises from two weaknesses in the git-sync feature of Activepieces. Firstly, Git's symbolic-link handling was not disabled during the clone process, allowing an attacker-controlled remote repository to include symlinks that could redirect writes. Secondly, user-supplied identifiers (repository slug and externalId of tables, flows, and connections) were not validated against directory-traversal sequences like ../. These weaknesses combined enabled an attacker to write to arbitrary locations on the host filesystem. The issue was fixed in version 0.82.0.

Defensive priority

Apply the patch by upgrading to Activepieces version 0.82.0 or later. Restrict WRITE_PROJECT_RELEASE permissions to trusted users. Monitor git-sync repository configurations and user activities. Implement additional access controls and file system restrictions for the Activepieces process user.

Recommended defensive actions

  • Upgrade to Activepieces version 0.82.0 or later
  • Restrict WRITE_PROJECT_RELEASE permissions to trusted users
  • Monitor git-sync repository configurations and user activities
  • Implement additional access controls and file system restrictions for the Activepieces process user
  • Conduct regular security audits and vulnerability assessments

Evidence notes

The CVE record was published on 2026-07-16T19:16:50.097Z and has not been modified since then. The NVD entry is currently empty. Evidence limits suggest verifying the Activepieces version and git-sync feature usage. Defenders should check for unauthorized repository configurations and monitor user activities with WRITE_PROJECT_RELEASE permission. Conduct regular security audits and vulnerability assessments to ensure the platform's security posture. Additional verification tasks may be required to confirm the vulnerability's impact and validate mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:50.097Z and has not been modified since then.