HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44716Published Modified CNA GitHub_M

CVE-2026-44716: Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in the Pipecat development runner's `/files` endpoint, affecting versions 0.0.90 through 1.2.0 (exclusive) of the pipecat-ai/pipecat Python framework. The endpoint concatenates a user-supplied filename parameter directly onto the configured folder path without verifying the result stays within that folder; percent-encoded slashes (`%2F`) bypass Starlette's built-in URL normalization, allowing traversal above the intended directory root. An unauthenticated attacker with network access can read any file the pipecat process can access, including SSH private keys, credential files, and system files, with a single HTTP GET request. A patched-image rebuild at version 1.2.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-44716 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle pipecat-ai. Any image layer containing a pipecat version in the range >=0.0.90, <1.2.0 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and applies per-environment compliance policy weighting to determine urgency before routing findings to the appropriate team inbox within each customer organization. Because the vulnerability requires no authentication and is reachable over the network, policy engines that weight unauthenticated network exposure will typically escalate its priority further.

Available
Patch

A patched-image rebuild pinned to pipecat-ai 1.2.0 is available on HarborGuard for any environment whose images resolve to an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable `/files` endpoint is served over HTTP, so the attacker must be able to reach the runner service over the network.

  • AuthenticationNot required

    No credentials or session token are needed; the endpoint accepts unauthenticated GET requests.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user of the affected system.

  • Attack complexityDetail

    The exploit is reliable and condition-free; sending a single crafted HTTP GET request with percent-encoded path separators is sufficient to trigger traversal.

Blast Radius

  • Reads arbitrary files accessible to the pipecat process, including SSH private keys and API credential files stored on the host.
  • Reads system files such as /etc/passwd and application configuration files that may contain database connection strings or secrets.
  • Exposes any file reachable from the process's working directory, including other users' home directory contents if filesystem permissions allow it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44716 activates automatically for any scanned image containing pipecat-ai >=0.0.90 and <1.2.0, with no manual configuration required. A rebuild targeting the fixed version 1.2.0 is available, and for customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads; for high-severity CVEs, the median time from publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with CVSS context attached. Because the vulnerable endpoint is only exposed when the runner is started with the `--folder` flag, teams that cannot update immediately should consider network-policy controls that restrict inbound access to the runner's port to trusted internal CIDRs only, reducing exposure while a full rebuild is prepared.

See how HarborGuard automates this
Affected packages
  • pipecat-ai / pipecat
    >= 0.0.90, < 1.2.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References