CVE-2026-48544 Avaiga CVE debrief

Who should care

Organizations running Taipy 4.1.1 web applications with custom ElementLibrary extensions; security teams monitoring Python Flask applications for path traversal vulnerabilities; developers implementing path containment checks in file serving endpoints.

Technical summary

The vulnerability stems from an incomplete security check in Taipy's extension library resource handler. The code uses `str.startswith()` to validate that a requested path remains within an intended module directory, but omits a trailing path separator in the comparison. This allows attackers to specify paths that technically start with the allowed directory string while traversing to sibling directories—for example, requesting `/allowed_dir../etc/passwd` where `startswith('/allowed_dir')` returns true. Flask's path converter and Werkzeug's WSGI layer preserve traversal segments in the request, and the resolved filesystem path escapes containment while still satisfying the flawed check. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) reflects network attackability with no privileges required and high confidentiality impact.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Taipy to version 4.1.2 or later containing commit 129fd40
• Review custom ElementLibrary implementations for similar path traversal patterns using startswith() without trailing separators
• Implement additional path canonicalization and validation before file access operations
• Monitor application logs for anomalous GET requests containing path traversal sequences (../) to library resource endpoints
• Apply principle of least privilege to file system access for web application processes

Evidence notes

CVE published 2026-05-27T15:16:30.880Z; modified 2026-05-27T19:59:03.360Z. Fix confirmed in commit 129fd407ffca49ee4ab853772c88d0c873e038dd. Advisory published by Vulncheck.

Official resources