How is CVE-2026-47118 exploited?

Network reachability (required): The vulnerable image_get endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP to exploit it. Authentication (not-required): No credentials or session token are needed; the endpoint accepts unauthenticated requests. Victim interaction (required): The CVSS v4.0 vector specifies UI:P, meaning some form of passive user interaction (such as a user accessing the application in a context that triggers the vulnerable request) is part of the attack scenario. Attack complexity (info): Attack complexity is low: the exploit requires only a crafted path string and no race conditions, memory layout assumptions, or other environmental factors to succeed reliably.

What is the impact of CVE-2026-47118?

An attacker reads arbitrary files accessible to the agent-zero process, including configuration files, secrets, and API keys stored on the host filesystem. Files in user home directories, such as SSH private keys or shell history, are readable if the process has access to them. Contents of mounted volumes, including secrets injected at container runtime, are exposed. Symlink-based escapes extend the readable scope beyond directories that would otherwise be reachable through simple path traversal alone.

Back to search

HIGHCVE-2026-47118Published 2026-05-27Modified 2026-05-28CNA VulnCheck

CVE-2026-47118: Agent Zero < 1.15 Path Traversal File Read via image_get API

Q: What is CVE-2026-47118?

A path traversal vulnerability in Agent Zero before version 1.15 allows unauthenticated attackers to read arbitrary files through the image_get API endpoint. The endpoint enforces only a file-extension allowlist while path containment checks are explicitly disabled, meaning any file readable by the process and ending with an image extension can be retrieved directly over the network. Successful exploitation gives an attacker read access to files outside the agent workspace, including files in user home directories and mounted volumes. A patched-image rebuild at version 1.15 is available on HarborGuard for affected environments.

Q: How is CVE-2026-47118 fixed?

A patched-image rebuild at agent-zero 1.15 becomes available through HarborGuard once the upstream fix version is confirmed, which it is in this case. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled. Attackers can request any file with an image extension readable by the process, including files outside the agent workspace, user home directories, and mounted volumes, and can also leverage symlink-based escapes due to the lack of path canonicalization in the path resolution logic.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal vulnerability in Agent Zero before version 1.15 allows unauthenticated attackers to read arbitrary files through the image_get API endpoint. The endpoint enforces only a file-extension allowlist while path containment checks are explicitly disabled, meaning any file readable by the process and ending with an image extension can be retrieved directly over the network. Successful exploitation gives an attacker read access to files outside the agent workspace, including files in user home directories and mounted volumes. A patched-image rebuild at version 1.15 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-47118 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from agent-zero. Any image running a version of agent-zero below 1.15 will surface as affected.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and weights findings against each customer environment's compliance policy to determine urgency and ownership. Triage alerts are routed to the inbox or ticket queue configured inside each customer organization for high-severity findings.

Available

Patch

A patched-image rebuild at agent-zero 1.15 becomes available through HarborGuard once the upstream fix version is confirmed, which it is in this case. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable image_get endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP to exploit it.
AuthenticationNot required
No credentials or session token are needed; the endpoint accepts unauthenticated requests.
Victim interactionRequired
The CVSS v4.0 vector specifies UI:P, meaning some form of passive user interaction (such as a user accessing the application in a context that triggers the vulnerable request) is part of the attack scenario.
Attack complexityDetail
Attack complexity is low: the exploit requires only a crafted path string and no race conditions, memory layout assumptions, or other environmental factors to succeed reliably.

Blast Radius

An attacker reads arbitrary files accessible to the agent-zero process, including configuration files, secrets, and API keys stored on the host filesystem.
Files in user home directories, such as SSH private keys or shell history, are readable if the process has access to them.
Contents of mounted volumes, including secrets injected at container runtime, are exposed.
Symlink-based escapes extend the readable scope beyond directories that would otherwise be reachable through simple path traversal alone.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47118 is active across all connected registries and pipelines, flagging any image running agent-zero below version 1.15 as HIGH severity. A patched-image rebuild at version 1.15 is available for affected images. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy permits immediate remediation, no manual steps are required beyond reviewing and merging the PR. Customers who manage remediation manually can use the HarborGuard finding to identify affected images and pin rebuilds to the 1.15 tag. As a compensating control prior to patching, network policy rules that restrict inbound access to the image_get endpoint to trusted internal sources reduce the exploitable surface while a rebuild is prepared.

See how HarborGuard automates this

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 1.15
Affected Products: 1

Fix available

1.15

Patch commits

github.com

Affected packages

3clyp50 / agent-zero
< 1.15 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available