PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8770 Continue CVE debrief

CVE-2026-8770 describes a path traversal issue in the JSON-RPC Server component of continuedev continue up to 1.2.22, specifically in lsTool within core/tools/implementations/lsTool.ts. The issue is triggered by manipulation of the dirPath argument and is reported to require local access. The CVE record lists CWE-22 and a low CVSS 4.0 score of 1.9. Source material also indicates that a public exploit exists and that the vendor was contacted early but did not respond.

Vendor
Continue
Product
Unknown
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Administrators and developers using continuedev continue up to 1.2.22, especially anyone exposing or embedding the JSON-RPC Server in environments where local users, agents, or jobs can influence tool arguments.

Technical summary

The reported weakness is a path traversal condition in lsTool, where untrusted control of the dirPath argument can lead to access outside the intended directory scope. The CNA-classified weakness is CWE-22. The source indicates the attack is local rather than remote, which helps explain the low severity rating, but the presence of a publicly available exploit increases the need for timely patching or mitigation. The available source corpus does not include a vendor fix, patch version, or confirmed remediation timeline.

Defensive priority

Low severity but worth addressing promptly if the affected component is present, because the issue is publicly disclosed and exploit material is referenced. Prioritize if local users, automation, or plugins can supply dirPath values.

Recommended defensive actions

  • Inventory deployments using continuedev continue up to 1.2.22 and confirm whether the JSON-RPC Server component is enabled.
  • Restrict who can invoke lsTool or influence dirPath, and apply strict allowlist validation for directory inputs.
  • Run the service with least privilege so path traversal has minimal impact even if triggered.
  • Monitor for unexpected filesystem access outside approved working paths.
  • Review upstream advisories or release notes for a fixed version before continuing exposure.
  • If you cannot patch immediately, reduce local attack surface by limiting shell, agent, and job access to the host or container.

Evidence notes

Source item from NVD (published 2026-05-18T00:16:37.343Z) records the vulnerability as Received, with CWE-22 and a low CVSS vector. The vulnerability description supplied in the prompt states the affected function is lsTool in core/tools/implementations/lsTool.ts, that manipulation of dirPath leads to path traversal, that attack requires local access, that a public exploit exists, and that the vendor did not respond to early contact. References supplied by the source item include a CVE reference, NVD detail page, and VulDB-linked references, but the corpus does not provide a verified fix or patch advisory.

Official resources

CVE-2026-8770 was published on 2026-05-18T00:16:37.343Z. The supplied disclosure context says the vendor was contacted early but did not respond, and that a public exploit is available. Timing in this debrief uses the CVE publication date,