VYPR
← All advisories
High severity7.3NVD Advisory· Published May 17, 2026· Updated May 18, 2026

CVE-2026-8757

CVE-2026-8757

Description

A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in Hive framework's session history deletion API allows unauthenticated remote attackers to delete arbitrary directories, leading to data destruction and denial of service.

Vulnerability

The vulnerability resides in the handle_delete_history_session handler within core/framework/server/routes_sessions.py. The function directly uses the session_id parameter from the request URL without proper sanitization, allowing path traversal sequences (e.g., %2E%2E%2F). When concatenated with the base path, this results in an arbitrary directory being passed to shutil.rmtree(), which recursively deletes the target directory [1].

Exploitation

An unauthenticated attacker can send a DELETE request to /api/sessions/history/{session_id} with a crafted session_id containing URL-encoded traversal sequences. The aiohttp framework automatically decodes these sequences, so a payload like %2E%2E%2F%2E%2E%2Ftmp%2Fpwned resolves to ../../tmp/pwned. The application then deletes the resolved directory, which can be any location the process has write access to [1].

Impact

Successful exploitation allows arbitrary directory deletion on the host filesystem. This can lead to severe data loss, corruption of application functionality, and denial of service. The attack requires no authentication and can be executed remotely, making it highly dangerous [1].

Mitigation

As of the disclosure, the vendor has not responded, and no patch is available. Users of Hive up to version 0.11.0 should apply input validation on the session_id parameter or restrict access to the endpoint. Since the exploit is public, immediate action is recommended [1].

References
  1. Arbitrary Directory Deletion via Path Traversal in Session History API

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Adenhq/Hiveinferred2 versions
    <=0.11.0+ 1 more
    • (no CPE)range: <=0.11.0
    • (no CPE)range: <=0.11.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.