CVE-2026-44716 Overview
CVE-2026-44716 is a path traversal vulnerability [CWE-22] in Pipecat, an open-source Python framework for building real-time voice and multimodal conversational agents. The flaw affects versions 0.0.90 through versions prior to 1.2.0. When the development runner is started with the --folder flag, it exposes a GET /files/{filename:path} endpoint that fails to validate the user-supplied path. Attackers with network access can read any file the Pipecat process can access, including SSH private keys, credentials, and system files, through a single unauthenticated HTTP request.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on the host running the Pipecat development runner.
Affected Products
- Pipecat versions 0.0.90 through versions before 1.2.0
- Pipecat development runner (src/pipecat/runner/run.py) started with the --folder flag
- Deployments exposing the runner endpoint to untrusted networks
Discovery Timeline
- 2026-06-10 - CVE-2026-44716 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-44716
Vulnerability Analysis
The vulnerability resides in the Pipecat development runner located at src/pipecat/runner/run.py. When launched with the --folder flag, the runner registers a Starlette route GET /files/{filename:path} to serve files from the supplied directory. The handler concatenates the filename path parameter directly onto args.folder without performing any containment check against the intended base directory.
Starlette normalizes literal ../ sequences encountered in URLs, which would otherwise block trivial directory traversal attempts. The handler decodes URL-encoded characters in the path parameter after routing has occurred. This decoding order allows %2F-encoded forward slashes to bypass Starlette's normalization step entirely.
A payload such as ..%2F..%2Fetc%2Fpasswd resolves to a path two directory levels above args.folder once decoded. Any file readable by the Pipecat process becomes accessible through the endpoint.
Root Cause
The root cause is the absence of a canonicalization and containment check on the user-controlled filename parameter before file system access. The handler trusts URL routing to enforce traversal protections, but Starlette's normalization runs against the raw URL rather than the post-decoded path parameter. This mismatch in encoding handling enables [CWE-22] path traversal.
Attack Vector
An attacker requires only network reachability to the Pipecat runner. No authentication, user interaction, or prior access is required. The attacker sends an HTTP GET request to /files/ followed by a URL-encoded traversal sequence pointing to the target file. The server responds with the contents of the requested file if readable by the Pipecat process. Targets of interest include ~/.ssh/id_rsa, /etc/passwd, environment files, and application configuration containing API tokens or database credentials.
The vulnerability is described in the GitHub Security Advisory GHSA-3363-2ph6-35wh.
Detection Methods for CVE-2026-44716
Indicators of Compromise
- HTTP requests to /files/ containing %2F, %2E%2E, or other URL-encoded traversal sequences
- Successful 200 OK responses from the /files/{filename:path} endpoint returning content from outside the configured --folder directory
- Access log entries showing reads of sensitive files such as /etc/passwd, id_rsa, or .env originating from the Pipecat process
- Outbound connections from hosts that previously received unusual /files/ requests, suggesting credential reuse
Detection Strategies
- Inspect web access logs for the path pattern /files/ followed by encoded traversal tokens (%2e%2e%2f, ..%2f, %2F)
- Alert on Pipecat processes reading files outside the directory passed to --folder
- Correlate file read events with the parent process identity to flag unexpected access by the runner
Monitoring Recommendations
- Forward Pipecat runner HTTP access logs to a centralized logging or SIEM platform for retention and pattern matching
- Monitor file integrity and access events for sensitive paths such as ~/.ssh/, /etc/, and application secret stores
- Track network exposure of development runners to identify instances reachable from untrusted networks
How to Mitigate CVE-2026-44716
Immediate Actions Required
- Upgrade Pipecat to version 1.2.0 or later, which contains the official fix
- Stop any Pipecat development runner instance currently exposed to untrusted networks until patched
- Rotate credentials, SSH keys, and API tokens that may have been readable from hosts running affected versions
- Audit access logs for /files/ requests containing encoded traversal sequences
Patch Information
The maintainers patched the vulnerability in Pipecat 1.2.0. The fix is delivered via GitHub Pull Request #4417 and commit 7519c26. Release artifacts are available in the Pipecat v1.2.0 release notes.
Workarounds
- Do not start the runner with the --folder flag in production or networked environments
- Bind the runner to 127.0.0.1 only and front it with an authenticated reverse proxy if file serving is required
- Restrict the operating system permissions of the Pipecat process so it cannot read sensitive files such as SSH keys or credentials
- Place network access controls in front of the runner to limit reachability to trusted developer workstations
# Configuration example: upgrade Pipecat to the patched release
pip install --upgrade "pipecat-ai>=1.2.0"
# Verify the installed version
python -c "import pipecat; print(pipecat.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
