Skip to main content

RTGS2017 NagaAgent EUVDEUVD-2026-27157

| CVE-2026-7784 MEDIUM
Path Traversal (CWE-22)
2026-05-05 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 05, 2026 - 00:30 vuln.today

DescriptionCVE.org

A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal vulnerability in RTGS2017 NagaAgent up to version 5.1.0 allows remote unauthenticated attackers to manipulate the Name argument in the Skills Endpoint (apiserver/routes/extensions.py) to access arbitrary files on the server with limited confidentiality impact. Exploit code has been publicly disclosed and the vendor was informed via issue report but has not responded with a patch.

Technical ContextAI

The vulnerability exists in the Skills Endpoint component of NagaAgent, specifically in the apiserver/routes/extensions.py file where user-supplied input to the Name parameter is processed without proper path validation. This classic path traversal flaw (CWE-22) allows an attacker to use directory traversal sequences (such as '../' or absolute paths) to escape intended directory restrictions and access files outside the intended scope. The vulnerability is exploitable remotely over the network without requiring authentication or user interaction, indicating the Skills Endpoint accepts and processes untrusted input directly without sanitization or canonicalization of file paths.

RemediationAI

No vendor-released patch identified at time of analysis. The project maintainers have not responded to the early disclosure notification via GitHub issue #311. Immediate remediation options include upgrading to a patched version if released after the public disclosure, monitoring the GitHub repository for updates at https://github.com/RTGS2017/NagaAgent/. As a compensating control, implement network-level access restrictions to the Skills Endpoint by blocking or restricting access to the apiserver/routes/extensions.py endpoint to only trusted IP addresses or internal networks. Additionally, implement input validation and sanitization on the Name parameter to reject or normalize path traversal sequences such as '../', '..\', and absolute paths before file operations are performed. Consider disabling or removing the Skills Endpoint feature entirely if not actively used in your deployment. Monitor file access logs on the NagaAgent server for attempts to access files outside expected directories, particularly patterns indicating directory traversal attempts.

Share

EUVD-2026-27157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy