Skip to main content

Activepieces CVE-2026-53535

MEDIUM
Path Traversal (CWE-22)
2026-07-16 security-advisories@github.com
5.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

PR:H reflects mandatory WRITE_PROJECT_RELEASE permission; S:U because writes remain within the process user's existing OS authorization boundary; C:N as no read primitive exists.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 19:31 vuln.today
Analysis Generated
Jul 16, 2026 - 19:31 vuln.today

DescriptionCVE.org

Activepieces is an open source AI workflow automation platform. Prior to 0.82.0, the git-sync feature clones a user-configured Git repository into a temporary directory on the server and then writes flow, table, and connection state into it before pushing back, and two separate weaknesses allowed those writes to escape the intended workspace and land on arbitrary paths on the host filesystem: Git's symbolic-link handling was not disabled on the clone, so an attacker who controlled the remote repository could include symlinks that redirected the writes, and several user-supplied identifiers used to build on-disk paths (the repository slug and the externalId of tables, flows, and connections) were not validated against directory-traversal sequences such as ../. On a self-hosted Enterprise Edition deployment, a user authorized to configure or push to a git-sync repository (holding the WRITE_PROJECT_RELEASE permission) could cause the server to overwrite files anywhere the Activepieces process user can write, which depending on host layout can be leveraged for tampering, denial of service, or remote code execution. This issue is fixed in version 0.82.0.

AnalysisAI

Path traversal in Activepieces Enterprise Edition git-sync prior to 0.82.0 allows an authenticated project administrator to overwrite arbitrary files on the host filesystem, with potential impact ranging from data tampering and denial of service to remote code execution. Two distinct weaknesses compound each other: Git's symbolic-link handling was not disabled during repository cloning, and user-supplied identifiers - repository slug and the externalId fields for flows, tables, and connections - were concatenated into filesystem paths without sanitization of directory-traversal sequences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with WRITE_PROJECT_RELEASE permission
Delivery
Configure git-sync to attacker-controlled repo or craft traversal slug/externalId
Exploit
Trigger sync operation
Install
Server clones repo with symlinks enabled and traverses outside workspace
C2
Attacker-controlled content written to arbitrary host path
Execute
Overwrite executable or config file
Impact
Execute code or cause denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a self-hosted Activepieces Enterprise Edition deployment with the git-sync feature enabled - this is an Enterprise-only capability not present in Community Edition or cloud-hosted instances; (2) an authenticated user account holding the WRITE_PROJECT_RELEASE permission; (3) either control over the remote Git repository configured for sync (to embed malicious symlinks) or the ability to set the repository slug or externalId values for flows, tables, or connections to strings containing `../` directory traversal sequences. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.9 appropriately reflects the high privilege barrier (PR:H - WRITE_PROJECT_RELEASE permission) and AT:P (specific attack requirements), which together significantly constrain who can exploit this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding WRITE_PROJECT_RELEASE permission on a self-hosted Activepieces Enterprise instance either configures git-sync to point to an attacker-controlled remote repository embedding symlinks targeting host paths such as `/etc/cron.d/` or application startup scripts, or sets the repository slug or an externalId to a value containing `../` sequences. When the server performs a sync, it writes attacker-controlled JSON content to the resolved path outside the workspace - for example, dropping a cron script that executes a reverse shell as the Activepieces process user. …
Remediation Upgrade to Activepieces version 0.82.0 or later, available at https://github.com/activepieces/activepieces/releases/tag/0.82.0; this is the only fully effective fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy