Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled. Attackers can request any file with an image extension readable by the process, including files outside the agent workspace, user home directories, and mounted volumes, and can also leverage symlink-based escapes due to the lack of path canonicalization in the path resolution logic.
AnalysisAI
Arbitrary file read in Agent Zero before version 1.15 lets remote unauthenticated attackers retrieve files outside the agent workspace through the image-serving API (api/image_get.py), which validates only the file extension while the directory-containment check is commented out. Any file readable by the process and bearing an allowed image extension can be disclosed, and symlinks can be abused to reach non-image targets because the path is never canonicalized. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Technical ContextAI
Agent Zero is an open-source agentic-AI framework that exposes an HTTP API, including an image-retrieval endpoint implemented in api/image_get.py. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory): the vulnerable code gated access purely on an extension allowlist (.jpg, .jpeg, .png, .gif, .bmp, .webp, .svg, .ico, .svgz) while the base-directory containment logic (files.is_in_base_dir / is_in_dir checks) was explicitly disabled via commented-out code, with a developer note stating 'no real need to check, we have the extension filter in place.' Because the supplied path was passed to files.fix_dev_path/send_file without canonicalization, ../ sequences and symbolic links resolved freely, allowing traversal beyond the agent workspace into user home directories and mounted volumes. The 1.15 fix introduces _resolve_allowed_image_path(), which resolves the candidate path with Path.resolve(strict=False) and enforces resolved.relative_to(base_dir), and adds nosniff plus a sandboxing Content-Security-Policy for SVG responses. No CPE strings were supplied in the source data.
RemediationAI
Vendor-released patch: upgrade to Agent Zero version 1.15 or later, which adds the _resolve_allowed_image_path() canonicalization-and-containment check (commit 1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e); see the VulnCheck advisory at https://www.vulncheck.com/advisories/agent-zero-path-traversal-file-read-via-image-get-api and issue https://github.com/agent0ai/agent-zero/issues/1609. If immediate upgrade is not possible, restrict network reachability of the image_get API endpoint to trusted clients via a reverse proxy or firewall rule (trade-off: legitimate remote image rendering breaks for blocked clients), run the agent in a tightly scoped container that mounts only the workspace and no sensitive host volumes or home directories (trade-off: reduces the file set an attacker can reach but does not close the bug), and remove or avoid creating symlinks within reachable directories to limit canonicalization-based escapes. These are compensating controls only; patching to 1.15 is the sole complete fix.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32522
GHSA-8j45-8v5h-63vj