CVE-2026-4307

Root

Cause

The vulnerability resides in the get_abs_path() function within python/helpers/files.py. This function uses Python's os.path.join() to construct file paths. A known behavior of os.path.join() is that if any component is an absolute path, all preceding components are discarded. Consequently, when an attacker supplies an absolute path (e.g., /etc/passwd) as the path parameter, the intended base directory restriction is bypassed, and the absolute path is used directly [1].

Exploitation

An authenticated attacker can exploit this by sending a crafted GET request to the /download_work_dir_file endpoint with an absolute path as the path parameter. The vulnerable code path in file_info.py calls files.get_abs_path(path) without performing any validation to ensure the resulting path stays within the allowed workspace directory. In contrast, the FileBrowser class in file_browser.py implements proper path validation using pathlib and resolve(), but this protection is not applied to the vulnerable endpoint [1].

Impact

Successful exploitation allows an attacker to read any file on the server that is readable by the application process. This can lead to exfiltration of sensitive configuration files, credentials, API keys, and system information. The attack can be executed remotely, and a public proof-of-concept exploit has been released [1].

Mitigation

The vendor was contacted but did not respond. As of the publication date (2026-03-17), no official patch has been released. Users should apply input validation to the path parameter, ensuring it is resolved relative to the base directory and does not escape via absolute paths or .. sequences. Until a fix is available, restricting network access to the Agent Zero instance and requiring authentication are recommended [1].