HarborGuard / CVE
Back to search
HIGHCVE-2026-10044Published Modified CNA VulnCheck

CVE-2026-10044: ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/

Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthenticated arbitrary file read vulnerability affects Usagi-org ai-goofish-monitor on Windows deployments. The flaw is reachable over the network without any credentials, by sending a crafted GET request to the /api/prompts/ endpoint with an absolute Windows path or backslash traversal sequence that bypasses the application's incomplete path sanitization. Successful exploitation lets an attacker read any file accessible to the application process, including sensitive configuration files, credentials, and secrets stored on the host. A patched-image rebuild at commit f85d140b6b45029d9a0925feb96dad733b41396d is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from ai-goofish-monitor. Coverage applies to images built from any version prior to the fix commit.

Available
Triage

HarborGuard scores this finding at CVSS 8.2 HIGH (v4.0) and can weight it further against per-environment compliance policies before routing the alert to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at commit f85d140b6b45029d9a0925feb96dad733b41396d is available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the application service.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the /api/prompts/ endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    The attacker sends a single crafted GET request and receives the file contents directly, with no user action required.

  • Attack complexityDetail

    Base exploit conditions are straightforward and reliable, though the attack-target prerequisite (AT:P) indicates that specific configuration or deployment conditions (Windows host with accessible sensitive files) must be present for maximum impact.

Blast Radius

  • An attacker reads any file accessible to the application process on the Windows host, including configuration files containing database credentials, API keys, and secrets.
  • Environment variable files, .env configs, and any flat-file credential stores co-located with the application are directly exposed.
  • Operating system files readable by the process account, such as Windows SAM or system configuration files, can be retrieved if the process runs with sufficient privilege.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image found running a version of ai-goofish-monitor prior to commit f85d140b6b45029d9a0925feb96dad733b41396d. Because this is rated HIGH (CVSS 8.2) and requires no authentication, it is prioritized in the triage queue automatically. Where compliance policy permits, a rebuilt image pinned to the fix commit is made available, and customers with auto-remediation enabled receive a regression-tested rebuild plus a pull request opened against affected workloads (median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled). While awaiting remediation, network-policy controls that restrict inbound HTTP access to the /api/prompts/ endpoint to trusted internal sources serve as an effective compensating control, as does running the application process under a least-privilege account to limit which files on the host are reachable.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
f85d140b6b45029d9a0925feb96dad733b41396d
Affected Products
1

Fix available

f85d140b6b45029d9a0925feb96dad733b41396d
Patch commits
Affected packages
  • Usagi-org / ai-goofish-monitor
    < f85d140b6b45029d9a0925feb96dad733b41396d (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References