CVE-2026-47118 Overview
CVE-2026-47118 is a path traversal vulnerability [CWE-22] in Agent Zero versions before 1.15. The flaw exists in the image file serving endpoint, which validates requests using only an extension allowlist while the path containment check is explicitly disabled. Unauthenticated attackers can supply crafted paths to read arbitrary files with image extensions readable by the process. The vulnerable code path lacks canonicalization, allowing symlink-based escapes outside the agent workspace, user home directories, and mounted volumes.
Critical Impact
Unauthenticated remote attackers can read arbitrary files accessible to the Agent Zero process, exposing secrets, configuration data, and files on mounted volumes.
Affected Products
- Agent Zero versions prior to 1.15
- Deployments exposing the image_get API endpoint
- Container and host environments with mounted volumes accessible to the Agent Zero process
Discovery Timeline
- 2026-05-27 - CVE-2026-47118 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-47118
Vulnerability Analysis
The vulnerability resides in the Agent Zero image_get API handler in helpers/api.py. The endpoint serves image files from a path provided by the client. It checks the file extension against an allowlist but skips the path containment check that would restrict reads to the agent workspace. The path resolution logic does not canonicalize the supplied path before opening the file.
An unauthenticated attacker can request any file whose name ends in a permitted image extension. Because canonicalization is missing, attackers can also place or follow symbolic links pointing outside the intended directory. The result is arbitrary file read across the host file system, limited only by the process user's permissions.
Sensitive targets include credential files, private keys, environment configuration, kernel and runtime metadata files, and files within mounted Docker volumes. The attack requires no authentication and minimal interaction.
Root Cause
The root cause is reliance on extension filtering as the sole authorization check combined with a disabled containment check and missing path canonicalization. Extension allowlisting does not constrain the directory tree, so any readable file renamed or symlinked with an image extension is exposed.
Attack Vector
Attackers send HTTP requests to the image serving endpoint with paths containing traversal sequences such as ../ or absolute paths referencing files outside the workspace. Symlinks placed within the workspace can also redirect resolution to arbitrary targets.
# Security patch from helpers/api.py - resolves image_get containment bypass (#1609)
url_for,
)
from werkzeug.wrappers.response import Response as BaseResponse
-from agent import AgentContext
from helpers.print_style import PrintStyle
from helpers.errors import format_error
from helpers import files, cache
Source: GitHub Commit 1f2d512
# Security patch from helpers/runtime.py - removes settings import path used in bypass
import secrets
from pathlib import Path
from typing import TypeVar, Callable, Awaitable, Union, overload, cast
-from helpers import dotenv, rfc, settings, files
+from helpers import dotenv, rfc, files
import asyncio
import threading
import queue
Source: GitHub Commit 1f2d512
Detection Methods for CVE-2026-47118
Indicators of Compromise
- HTTP requests to the image_get endpoint containing path traversal sequences such as ../, ..%2f, or URL-encoded variants.
- Requests for image-extension paths targeting locations outside the agent workspace, such as /etc/, /root/, or mounted volume paths.
- Unexpected file access events from the Agent Zero process to files outside its working directory.
- Creation of symbolic links inside the workspace pointing to sensitive system paths.
Detection Strategies
- Inspect Agent Zero web access logs for image_get requests whose path parameter contains traversal patterns or absolute paths.
- Correlate process file-read telemetry with the Agent Zero process user to identify reads outside the expected workspace.
- Apply web application firewall rules that normalize and reject paths containing .. segments or non-canonical encodings on the image endpoint.
Monitoring Recommendations
- Forward Agent Zero application and access logs to a centralized logging platform and alert on traversal patterns.
- Monitor for symlink creation events within the agent workspace directory using file integrity monitoring.
- Track outbound responses with non-image MIME content originating from the image endpoint, which can indicate exfiltration of arbitrary files.
How to Mitigate CVE-2026-47118
Immediate Actions Required
- Upgrade Agent Zero to version 1.15 or later, which restores path containment in the image_get handler.
- Restrict network access to Agent Zero instances so the API is not reachable from untrusted networks until patched.
- Run Agent Zero under a dedicated low-privilege user to limit the scope of arbitrary file reads.
- Audit mounted volumes and remove sensitive host paths that the agent does not require.
Patch Information
The upstream fix is available in commit 1f2d5122265282d6b98bc36ee8f9d0f8ab76db9e and is tracked in Agent Zero Issue #1609. Additional analysis is published in the VulnCheck Advisory on Path Traversal.
Workarounds
- Place Agent Zero behind an authenticated reverse proxy that blocks requests containing .., encoded traversal sequences, or absolute paths on the image endpoint.
- Run the agent inside a minimal container with read-only mounts and no access to host secrets, SSH keys, or credential stores.
- Disable or firewall the image_get endpoint at the proxy layer if image serving is not required for the deployment.
# Example NGINX rule to block traversal patterns on the image endpoint
location /image_get {
if ($args ~* "(\.\./|\.\.%2f|%2e%2e/|/etc/|/root/)") {
return 403;
}
proxy_pass http://agent_zero_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
