CVE-2026-22661 Overview
CVE-2026-22661 is a path traversal vulnerability in prompts.chat prior to commit 0f8d4c3 that exists in the skill file handling functionality. The vulnerability allows attackers to write arbitrary files to client systems by crafting malicious ZIP archives containing unsanitized filenames with path traversal sequences. Successful exploitation enables attackers to overwrite shell initialization files and achieve code execution on vulnerable systems.
Critical Impact
Attackers can exploit missing server-side filename validation to inject path traversal sequences (../) into skill file archives, enabling arbitrary file write and potential remote code execution through shell initialization file overwrites.
Affected Products
- prompts.chat (versions prior to commit 0f8d4c3)
Discovery Timeline
- 2026-04-03 - CVE-2026-22661 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-22661
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and stems from insufficient input validation when processing skill file archives in prompts.chat. The application fails to properly sanitize filenames contained within ZIP archives before extracting them to the filesystem.
When a user imports a skill file, the application extracts the archive contents without validating that the embedded filenames are constrained to the intended extraction directory. An attacker can craft a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../.bashrc) that, when extracted, write files outside the designated skill directory.
The attack is network-based and requires user interaction to trigger the extraction of a malicious skill archive. Once extracted, the attacker-controlled file can overwrite critical system files such as shell initialization scripts (.bashrc, .zshrc, .profile), enabling code execution the next time a shell session is initiated.
Root Cause
The root cause is missing server-side filename validation in the skill file extraction routine. The application directly uses filenames from the ZIP archive without stripping or rejecting path traversal sequences like ../. This allows archive entries to escape the intended extraction directory and write to arbitrary filesystem locations accessible by the application's process.
Attack Vector
The attack vector involves an attacker preparing a malicious ZIP archive containing files with crafted names that include path traversal sequences. When a victim downloads and imports this skill file through the prompts.chat interface, the extraction process writes the malicious payload to an attacker-controlled location on the filesystem.
A typical attack scenario involves the attacker creating a ZIP file with an entry named ../../../home/victim/.bashrc containing malicious shell commands. Upon extraction, this file overwrites the victim's shell initialization script. The next time the victim opens a terminal session, the injected commands execute with the victim's privileges.
The vulnerability requires user interaction (importing a skill file) but operates over the network, as malicious skill archives can be distributed through various channels including shared repositories, social engineering, or compromised skill hosting services.
Detection Methods for CVE-2026-22661
Indicators of Compromise
- Unexpected modifications to shell initialization files (.bashrc, .zshrc, .profile) with timestamps correlating to skill file imports
- Files appearing outside the expected skill directory structure following archive extraction operations
- Presence of files containing path traversal sequences in application logs or temporary directories
Detection Strategies
- Monitor file system operations during skill import workflows for writes outside designated directories
- Implement integrity monitoring on critical system files such as shell initialization scripts
- Review application logs for archive extraction events with suspicious filename patterns containing ../ sequences
- Deploy file integrity monitoring (FIM) solutions to detect unauthorized modifications to user home directories
Monitoring Recommendations
- Configure alerts for any file write operations targeting shell initialization files from the prompts.chat application context
- Implement audit logging for all archive extraction events with full filename path recording
- Monitor for process execution anomalies following shell initialization file modifications
How to Mitigate CVE-2026-22661
Immediate Actions Required
- Update prompts.chat to commit 0f8d4c381abd7b2d7478c9fdee9522149c2d65e5 or later
- Audit recently imported skill files for suspicious content
- Review shell initialization files (.bashrc, .zshrc, .profile) for unauthorized modifications
- Restrict skill file imports to trusted sources only until patched
Patch Information
The vulnerability has been addressed in commit 0f8d4c3 as documented in GitHub Pull Request #1101. Users should update to a version containing this commit. The fix implements proper filename sanitization to reject or neutralize path traversal sequences during archive extraction.
For additional details, see the GitHub Commit Overview and the VulnCheck Security Advisory.
Workarounds
- Disable skill file import functionality until the patch can be applied
- Implement external file integrity monitoring on critical system configuration files
- Run prompts.chat in a sandboxed environment with restricted filesystem access
- Manually inspect skill archive contents before importing, rejecting any entries with ../ in filenames
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
