{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pipecat-ai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pipecat-ai (\u003e= 0.0.90, \u003c 1.2.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","python","cve-2026-44716"],"_cs_type":"advisory","_cs_vendors":["pipecat-ai"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in Pipecat\u0026rsquo;s development runner (\u003ccode\u003esrc/pipecat/runner/run.py\u003c/code\u003e) within the \u003ccode\u003e/files\u003c/code\u003e endpoint. When the runner is started with the \u003ccode\u003e--folder\u003c/code\u003e flag, it exposes a \u003ccode\u003eGET /files/{filename:path}\u003c/code\u003e endpoint. The \u003ccode\u003efilename\u003c/code\u003e path parameter is vulnerable to directory traversal because it\u0026rsquo;s directly concatenated with \u003ccode\u003eargs.folder\u003c/code\u003e without proper sanitization. Starlette\u0026rsquo;s path normalization is bypassed using \u003ccode\u003e%2F\u003c/code\u003e-encoded slashes. An attacker can read any file the pipecat process has permission to access, including SSH private keys, credentials, and system files, with a single unauthenticated HTTP request. This vulnerability affects pipecat-ai versions \u0026gt;= 0.0.90 and \u0026lt; 1.2.0, and has been confirmed on version 1.1.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe Pipecat runner is started with the \u003ccode\u003e--folder\u003c/code\u003e option, specifying a directory for file downloads.\u003c/li\u003e\n\u003cli\u003eThe runner exposes a \u003ccode\u003eGET /files/{filename:path}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL with \u003ccode\u003e%2F\u003c/code\u003e-encoded directory separators (e.g., \u003ccode\u003e..%2F..%2Fetc%2Fpasswd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP GET request to the runner\u0026rsquo;s \u003ccode\u003e/files\u003c/code\u003e endpoint with the crafted URL.\u003c/li\u003e\n\u003cli\u003eStarlette\u0026rsquo;s router matches the route, and the \u003ccode\u003e%2F\u003c/code\u003e-encoded characters are decoded within the \u003ccode\u003efilename\u003c/code\u003e parameter \u003cem\u003eafter\u003c/em\u003e routing.\u003c/li\u003e\n\u003cli\u003eThe application concatenates the decoded \u003ccode\u003efilename\u003c/code\u003e parameter with the \u003ccode\u003e--folder\u003c/code\u003e path without proper validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.path.exists()\u003c/code\u003e check succeeds because the resolved path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) exists on the system.\u003c/li\u003e\n\u003cli\u003eThe requested file content is returned in the HTTP response, allowing the attacker to read arbitrary files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with network access to the runner to read arbitrary files on the server. This includes sensitive information such as SSH private keys, application credentials, \u003ccode\u003e.env\u003c/code\u003e files, database files, and system files (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e). In LAN deployments where the runner is exposed on the local network, any host can exploit this without credentials, leading to potential data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the remediation steps outlined in the advisory by patching or upgrading pipecat-ai to version 1.2.0 or later to resolve CVE-2026-44716.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Pipecat Path Traversal Attempt via URL Encoding\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for HTTP requests to the \u003ccode\u003e/files\u003c/code\u003e endpoint containing \u003ccode\u003e%2F\u003c/code\u003e-encoded characters in the URL to detect potential path traversal attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T16:55:27Z","date_published":"2026-05-15T16:55:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pipecat-path-traversal/","summary":"Pipecat's development runner has a path traversal vulnerability in the `/files` endpoint due to lack of input validation when handling the filename parameter, allowing an unauthenticated attacker with network access to read arbitrary files on the server using `%2F`-encoded separators.","title":"Pipecat Path Traversal Vulnerability in `/files` Endpoint (CVE-2026-44716)","url":"https://feed.craftedsignal.io/briefs/2026-05-pipecat-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Pipecat-Ai","version":"https://jsonfeed.org/version/1.1"}