Skip to main content

Microsoft Prompty CVE-2026-53598

| EUVDEUVD-2026-44940 HIGH
Path Traversal (CWE-22)
2026-07-16 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Read-only file disclosure gives C:H/I:N/A:N; low complexity, but exploitation depends on a victim loading an attacker-supplied prompt, so UI:R rather than NVD's UI:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:54 vuln.today
Analysis Generated
Jul 16, 2026 - 15:54 vuln.today
CVE Published
Jul 16, 2026 - 14:59 cve.org
HIGH 7.5

DescriptionCVE.org

Prompty is a markdown file format (.prompty) for LLM prompts. Prior to 2.0.0-beta.2, Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that resolved paths stayed within the prompt directory or allowed roots, allowing an attacker-controlled prompt file to read local files through absolute paths, .. traversal, or symlink escapes. This issue is fixed in versions 2.0.0-beta.2.

AnalysisAI

{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .prompty with ${file:...} escape
Delivery
Deliver prompt to victim application
Exploit
Loader resolves path outside prompt dir
Execution
Read local secret/config file
Impact
Exfiltrate contents via prompt output

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host application load an attacker-controlled .prompty file whose frontmatter includes a ${file:...} reference (in a field such as description) pointing outside the prompt directory via an absolute path, ../ traversal, or a symlink. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately consistent but require nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits or plants a malicious .prompty file whose frontmatter contains description: "${file:../../../../etc/passwd}" (or an absolute path, or a symlink pointing outside the prompt directory). When the victim application loads the prompt via the vulnerable Prompty loader, the loader reads the targeted file and inlines its contents into the resolved prompt fields, disclosing it downstream (e.g. …
Remediation Vendor-released patch: upgrade Prompty to 2.0.0-beta.2 or later, which scopes ${file:...} references to the containing .prompty file's directory by default and adds PromptyLoadOptions.AllowedFileRoots for hosts to explicitly opt into additional read roots (see GHSA-wxhm-2mq7-7697 and commit 88ac9948d7d37995edbb2f6d36913436626c39e1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Restrict file system permissions on all directories containing credentials or configuration using the principle of least privilege; audit user and process access to the affected system and revoke unnecessary permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy