CVE-2026-47119 Overview
CVE-2026-47119 is a stored cross-site scripting (XSS) vulnerability affecting Agent Zero versions before 1.15. The flaw exists in the image_get API endpoint, which serves SVG files without setting Content-Security-Policy, X-Content-Type-Options, or Content-Disposition response headers. An attacker who can place a crafted SVG file in any path readable by the agent-zero process can trigger script execution in the application origin when an authenticated user visits the endpoint. The injected JavaScript runs with the victim's session context, enabling theft of the csrf_token cookie and unauthorized API calls. This issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated session compromise leading to CSRF token theft and unauthorized API actions performed on behalf of the victim user.
Affected Products
- Agent Zero versions prior to 1.15
- Deployments exposing the image_get API endpoint
- Instances where the agent-zero process can read attacker-controlled file paths
Discovery Timeline
- 2026-05-27 - CVE-2026-47119 published to the National Vulnerability Database (NVD)
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-47119
Vulnerability Analysis
The vulnerability resides in how Agent Zero's image_get API endpoint returns SVG files to the requesting browser. SVG is an XML-based format that supports embedded <script> elements and JavaScript event handlers. When the endpoint serves an SVG without restrictive response headers, the browser renders it as an active document in the application origin. Any script tags contained within the SVG execute with the full privileges of the authenticated session.
Because the script runs in the same origin as Agent Zero, it can read same-origin cookies that lack the HttpOnly flag, including the csrf_token cookie. With that token, the attacker's payload can issue authenticated API requests that bypass CSRF protections. The result is unauthorized action execution scoped to the victim's privileges within the application.
Root Cause
The root cause is missing defense-in-depth response headers on the image_get endpoint. Specifically, the absence of Content-Security-Policy permits inline script execution, the absence of X-Content-Type-Options: nosniff allows MIME confusion, and the absence of Content-Disposition: attachment causes browsers to render SVG content inline rather than treat it as a download. Combined, these gaps allow attacker-supplied SVG content to be interpreted as executable script.
Attack Vector
Exploitation requires two preconditions: the attacker must write a crafted SVG containing script tags to a path readable by the agent-zero process, and an authenticated user must be lured to the image_get URL referencing that file. When the victim's browser fetches the SVG, the embedded JavaScript executes in the Agent Zero origin, exfiltrates the csrf_token cookie, and invokes API endpoints as the victim. User interaction is required, which is reflected in the UI:P CVSS component.
No verified exploit code is published. Refer to the VulnCheck Advisory on XSS and the GitHub Issue Discussion for technical context.
Detection Methods for CVE-2026-47119
Indicators of Compromise
- SVG files containing <script> tags, onload=, or javascript: URIs located in directories readable by the agent-zero process
- HTTP requests to the image_get endpoint referencing SVG paths outside expected application asset directories
- Outbound HTTP requests from authenticated browser sessions containing exfiltrated csrf_token values
Detection Strategies
- Inspect HTTP responses from image_get for Content-Type: image/svg+xml lacking Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers
- Scan filesystem locations accessible to the agent-zero service for SVG files containing script payloads or event handler attributes
- Correlate image_get requests with subsequent authenticated API calls from the same session that diverge from normal user behavior
Monitoring Recommendations
- Enable web access logging on the Agent Zero application and alert on image_get requests resolving to non-standard file paths
- Monitor for anomalous API call patterns following SVG fetches within the same session
- Track file write events to directories readable by the agent-zero process, particularly for files with .svg extensions
How to Mitigate CVE-2026-47119
Immediate Actions Required
- Upgrade Agent Zero to version 1.15 or later, which applies the fix referenced in the GitHub Commit Update
- Restrict write access to directories readable by the agent-zero process to trusted users only
- Audit existing SVG files within agent-readable paths and remove any containing script content
Patch Information
The upstream fix is committed at GitHub Commit 1f2d5122. The patch addresses the missing response headers on the image_get endpoint. Operators should validate the version after upgrade and confirm that responses include the appropriate security headers.
Workarounds
- Place a reverse proxy in front of Agent Zero that injects Content-Security-Policy: default-src 'none', X-Content-Type-Options: nosniff, and Content-Disposition: attachment on responses from image_get
- Block or filter SVG file serving through image_get until the upgrade is applied
- Mark session cookies as HttpOnly and SameSite=Strict where feasible to reduce token theft impact
# Example nginx reverse proxy header injection for the image_get endpoint
location /image_get {
proxy_pass http://agent_zero_upstream;
add_header Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Disposition "attachment" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
