PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26396 OpenBMB CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory traversal vulnerability that may result in sensitive information disclosure. Users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability, which may result in sensitive information disclosure.

Vendor
OpenBMB
Product
XAgent
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability, which may result in sensitive information disclosure. Affected operators, platforms, vulnerability-management, and security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter 'filename' is user-controllable and is concatenated into the file path to be read without proper validation. This vulnerability may result in sensitive information disclosure. Affected product context indicates that users of OpenBMB XAgent v1.0.0 and before should be aware of this path traversal vulnerability.

Defensive priority

High priority due to potential sensitive information disclosure.

Recommended defensive actions

  • Inventory and verify affected OpenBMB XAgent versions
  • Apply vendor remediation or patches when available
  • Implement compensating controls such as monitoring and exception tracking
  • Restrict access to sensitive files and directories
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is limited; further verification is required. Official CVE and NVD records provide some details. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then. Affected product deployments need to be confirmed in managed environments. Owners should be assigned for follow-up. The official advisory or CVE record should be reviewed to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:03.320Z and has not been modified since then.