PYSEC-2026-2894

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pptagent/PYSEC-2026-2894.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2894
Aliases
Published
2026-07-13T15:15:37.675795Z
Modified
2026-07-13T16:33:00.027297267Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
PPTAgent: Arbitrary File Write via `save_generated_slides`
Details

Summary

This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.

The save_generated_slides MCP tool accepts a pptx_path argument and writes the generated PPTX file to that path without any workspace restriction or path validation:

# pptagent/mcp_server.py:288-300
async def save_generated_slides(pptx_path: str):
    """Save the generated slides to a PowerPoint file.

    Args:
        pptx_path: The path to save the PowerPoint file
    """
    pptx = Path(pptx_path)
    assert len(self.slides), (
        "No slides generated, please call `generate_slide` first"
    )
    pptx.parent.mkdir(parents=True, exist_ok=True)   # ← creates arbitrary directories
    self.empty_prs.save(pptx_path)                    # ← writes to arbitrary path

The call to pptx.parent.mkdir(parents=True, exist_ok=True) creates any intermediate directories, and self.empty_prs.save(pptx_path) writes a valid PPTX binary (ZIP archive) to the specified path. No isrelativeto(workspace) check is performed — contrast with download_file in deeppresenter/tools/search.py:290, which correctly enforces workspace confinement.

The server changes directory to WORKSPACE (if set) on startup, so relative paths land in the workspace. Absolute paths, however, reach any filesystem location accessible to the server process.

Impact

The concrete attack scenarios include

  1. Cron persistence (root-running server): pptx_path = "/etc/cron.d/backdoor" → writes a PPTX ZIP to a path the cron daemon reads; if the ZIP header is misinterpreted, this may corrupt cron or be exploitable depending on parser behaviour.
  2. Dot-file overwrite: pptx_path = "/home/user/.bashrc" → overwrites shell init file with a binary blob containing arbitrary content in the PPTX's embedded comments/custom properties.
  3. Directory traversal from workspace: pptx_path = "../../.ssh/known_hosts.pptx" → escapes workspace entirely.
  4. Denial of service: pptx_path = "/dev/sda" writes to a raw device.

Remediation

The potential fix is something like:

async def save_generated_slides(pptx_path: str):
    workspace = Path(os.getcwd()).resolve()
    target = Path(pptx_path).resolve()
    if not target.is_relative_to(workspace):
        raise ValueError(f"Access denied: path outside workspace: {target}")
    target.parent.mkdir(parents=True, exist_ok=True)
    self.empty_prs.save(str(target))
References

Affected packages

PyPI / pptagent

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.36

Affected versions

0.*
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.13
0.2.14
0.2.15
0.2.16
0.2.17
0.2.18
1.*
1.0.0
1.0.1
1.0.2
1.1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.24
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.32
1.1.33
1.1.34
1.1.35

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pptagent/PYSEC-2026-2894.yaml"