HarborGuard / CVE
Back to search
HIGHCVE-2026-48544Published Modified CNA VulnCheck

CVE-2026-48544: Taipy 4.1.1 Path Traversal via ElementLibrary.get_resource()

Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in the ElementLibrary.get_resource() method in taipy/gui/extension/library.py that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check using str.startswith() without a trailing path separator. Attackers can send crafted GET requests with path traversal segments targeting a prefix-matching sibling directory on disk, bypassing the directory containment check because Flask's path converter and Werkzeug's WSGI layer preserve the traversal segments while the resolved path still satisfies the flawed startswith comparison, enabling unauthorized file access outside the intended library directory.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal vulnerability in Taipy 4.1.1 allows unauthenticated remote attackers to read arbitrary files outside the intended extension library directory. The flaw lives in the ElementLibrary.get_resource() method, which uses a flawed str.startswith() check without a trailing path separator to enforce directory containment, letting crafted GET requests escape the sandbox. Successful exploitation gives an attacker read access to files anywhere on disk that the Taipy process can reach. A patched-image rebuild pinned to commit 129fd407ffca49ee4ab853772c88d0c873e038dd is available on HarborGuard for environments running the affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Taipy. Any image found to carry Taipy 4.1.1 or earlier is flagged immediately.

Available
Triage

HarborGuard surfaces this finding with its CVSS v4.0 score of 8.7 (HIGH) and applies per-environment compliance policy weighting to prioritize severity routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to the fix commit 129fd407ffca49ee4ab853772c88d0c873e038dd is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild automatically, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP GET requests to the Taipy application to exploit this flaw.

  • AuthenticationNot required

    No credentials or account are needed; the get_resource() endpoint is accessible to unauthenticated requests.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to craft a working traversal payload.

Blast Radius

  • An attacker can read any file accessible to the Taipy process, including application source code, configuration files, and private keys stored on the host filesystem.
  • Secrets such as database credentials, API tokens, and environment variable files outside the intended library directory can be exfiltrated in a single crafted GET request.
  • No modification or availability impact is associated with this vulnerability; the attacker gains read-only access but cannot write or delete files through this vector.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion for any image carrying Taipy 4.1.1 or an earlier affected release, including custom-built images. A rebuilt image pinned to the fix commit (129fd407ffca49ee4ab853772c88d0c873e038dd) becomes available in the HarborGuard registry as soon as the upstream fix is confirmed. For customers who have auto-remediation enabled, HarborGuard initiates the rebuild, executes a regression run against the patched image, and opens a pull request targeting affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with remediation guidance attached. Until a patched image is deployed, network-policy controls that restrict inbound HTTP access to the Taipy service to trusted sources only are an effective compensating control given the unauthenticated network-exposed nature of this vulnerability.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
129fd407ffca49ee4ab853772c88d0c873e038dd
Affected Products
1

Fix available

129fd407ffca49ee4ab853772c88d0c873e038dd
Patch commits
Affected packages
  • Avaiga / taipy
    ≤ 4.1.1
    Fixed in 129fd407ffca49ee4ab853772c88d0c873e038dd
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References