CVE-2026-29870

| EUVD-2026-17419 HIGH
2026-03-31 mitre GHSA-7gc4-v478-jrmv
7.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 15:01 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 15:01 euvd
EUVD-2026-17419
CVE Published
Mar 31, 2026 - 00:00 nvd
HIGH 7.6

Tags

Path Traversal Privilege Escalation RCE

Description

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The save_to_file method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to escape the intended checkpoint directory. This vulnerability allows attackers to overwrite arbitrary files accessible to the application process, potentially leading to application corruption, privilege escalation, or code execution depending on the deployment context.

Analysis

Directory traversal in agentic-context-engine up to version 0.7.1 enables arbitrary file writes through the checkpoint_dir parameter in OfflineACE.run, exploiting inadequate path normalization in the save_to_file method. Unauthenticated attackers can overwrite arbitrary files within the application process's permissions scope, potentially achieving code execution, privilege escalation, or application compromise depending on deployment context and file system layout.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2026-29870 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy