PatchSiren cyber security CVE debrief
CVE-2026-26396 OpenBMB CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory traversal vulnerability that may result in sensitive information disclosure. Users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability, which may result in sensitive information disclosure.
- Vendor
- OpenBMB
- Product
- XAgent
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability, which may result in sensitive information disclosure. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be read without proper validation. This vulnerability may result in sensitive information disclosure. Affected product context indicates that users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability.
Defensive priority
High priority due to potential sensitive information disclosure.
Recommended defensive actions
- Inventory and verify affected OpenBMB XAgent versions
- Apply vendor remediation or patches when available
- Implement compensating controls such as monitoring and exception tracking
- Restrict access to sensitive files and directories
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is limited; further verification is required. Official CVE and NVD records provide some details. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. Affected product deployments need to be confirmed in managed environments. Owners should be assigned for follow-up. The official advisory or CVE record should be reviewed to validate affected scope, severity, and vendor guidance.
Official resources
-
CVE-2026-26396 CVE record
CVE.org
-
CVE-2026-26396 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then.