Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.
AnalysisAI
{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. Publicly available exploit code exists and a vendor patch has been released; this issue was reported by VulnCheck.
Technical ContextAI
ai-goofish-monitor is a Python/FastAPI-based monitoring application (cpe:2.3:a:usagi-org:ai-goofish-monitor) that exposes a prompts management API. The root cause is CWE-36 (Absolute Path Traversal): the handler validates filenames with a blocklist (if "/" in filename or ".." in filename) and then calls os.path.join("prompts", filename). Per Python's documented behavior, when a component passed to os.path.join is an absolute path, all previous components are discarded, so supplying an absolute Windows path like C:\Windows\win.ini causes the prompts directory prefix to be dropped. Backslashes are not in the blocklist, so directory separators on Windows also evade the check. The fix in PR #489 replaces the blocklist with a containment check using pathlib's Path.resolve() and relative_to(_PROMPTS_DIR).
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - apply the patch from https://github.com/Usagi-org/ai-goofish-monitor/pull/489, which introduces a _safe_prompt_path helper that resolves the requested filename against a canonicalized prompts directory and rejects anything outside it via Path.resolve().relative_to(_PROMPTS_DIR). If immediate patching is not possible, block external access to the GET /api/prompts/{filename} endpoint at a reverse proxy or WAF (side effect: legitimate prompt retrieval will break), or run the service behind authentication; on Windows specifically, run the process under a low-privilege service account with file system ACLs that deny read on sensitive paths such as C:\Windows\, configuration files, and any application secrets to reduce the value of a successful read. Monitor for requests to /api/prompts/ containing drive letters, colons, or backslashes. Track the vendor advisory at https://www.vulncheck.com/advisories/ai-goofish-monitor-unauthenticated-arbitrary-file-read-via-get-api-prompts for the tagged release version.
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33061
GHSA-93rg-qjp9-mg35