CVE-2026-10044: Unauthenticated Arbitrary File Read in Usagi-org ai-goofish-monitor on Windows
Usagi-org's ai-goofish-monitor application contains a critical flaw that allows anyone on the network to read files from an affected Windows server without authentication. By crafting a specially-formed request to the GET /api/prompts/{filename} endpoint, an attacker can bypass the application's path-checking logic and access sensitive files stored on the system—such as configuration files, credentials, or other sensitive data accessible to the application process. The vulnerability exploits a weakness in how the application validates file paths, specifically by allowing absolute Windows paths and backslash characters that the incomplete validation routine fails to detect.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-36
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the GET /api/prompts/{filename} endpoint, which lacks proper input validation on the Windows platform. The application attempts to sanitize user input by blocking forward slashes and '..' traversal sequences; however, this defense is incomplete. An attacker can circumvent the guard by supplying absolute Windows paths (e.g., C:\Windows\System32\config\sam) or by using backslash-based traversal. When such paths are passed to os.path.join(), the function discards the intended prompts directory prefix when an absolute path is encountered, causing the application to read from arbitrary locations rather than the restricted directory. This results in unauthenticated arbitrary file read with the privileges of the application process.
Business impact
An unauthenticated remote attacker can extract sensitive data without authentication, posing immediate confidentiality risks. Exposed files could include application secrets, environment variables containing API keys or database credentials, system configuration, or user data. The lack of authentication means the attack surface is as broad as network access to the vulnerable endpoint. Organizations running ai-goofish-monitor on Windows face potential compromise of downstream systems if credentials or secrets are exposed through file disclosure.
Affected systems
Usagi-org ai-goofish-monitor deployments on Windows systems are affected. The vulnerability is platform-specific to Windows deployments due to the behavior of os.path.join() with absolute paths and backslash path separators on that operating system. Organizations running ai-goofish-monitor on Linux or other Unix-like systems may have different exposure characteristics due to path handling differences; verify your deployment's operating system and configuration.
Exploitability
Exploitability is straightforward. The vulnerability requires only network access to the /api/prompts/ endpoint and no authentication. An attacker can craft HTTP GET requests with malicious filenames containing absolute paths or backslash sequences. No special tooling, user interaction, or complex attack chains are required. The CVSS 3.1 score of 7.5 (HIGH) reflects high network accessibility, low attack complexity, and no privileges or user interaction needed, though impact is limited to confidentiality.
Remediation
Organizations should immediately identify all Windows deployments of ai-goofish-monitor and take one of the following actions: (1) Apply a patched version from Usagi-org that properly validates file paths and rejects both absolute paths and traversal attempts; (2) If no patch is available, disable or restrict network access to the /api/prompts/ endpoint via firewall rules or network segmentation until a fix is deployed; (3) Implement strong authentication on the endpoint and apply principle of least privilege to the application process. Verify that any patched version has been released by checking the Usagi-org advisory and release notes.
Patch guidance
Consult the Usagi-org ai-goofish-monitor project security advisory for patched version availability and upgrade instructions. Ensure the patch fully validates file paths by rejecting absolute paths, backslash sequences, and other traversal patterns on Windows systems. Test the patch in a non-production environment before deployment. Verification should confirm that the application now restricts file access to the intended prompts directory and rejects malicious path inputs. If no official patch is available at the time of assessment, maintain mitigations (network isolation, authentication enforcement) until one is released.
Detection guidance
Monitor web server and application logs for suspicious requests to /api/prompts/ that contain backslashes, colons (common in Windows absolute paths like C:), or patterns suggesting traversal attempts. Look for repeated or sequential requests with varying path payloads. Implement network-based detection rules for HTTP GET requests to this endpoint containing Windows path indicators. Endpoint detection systems should monitor for unexpected file access by the ai-goofish-monitor process, particularly reads of sensitive system files outside its intended directory. Review access logs for unauthenticated requests succeeding to the endpoint.
Why prioritize this
This vulnerability should be prioritized as HIGH urgency due to unauthenticated remote file read capability, high network accessibility, simplicity of exploitation, and potential exposure of credentials or secrets. Windows deployments should be treated as immediate priority. While the KEV catalog does not yet list this vulnerability, the ease of exploitation and confidentiality impact warrant rapid assessment and remediation. Organizations should inventory their ai-goofish-monitor deployments and apply fixes as soon as patches are available.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects HIGH severity: the vulnerability is remotely exploitable (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N) or user interaction (UI:N), and impacts a single user/system (S:U). The primary impact is confidentiality loss (C:H) with no impact to integrity or availability (I:N/A:N). The score appropriately captures the ease of exploitation balanced against a bounded impact scope limited to data disclosure.
Frequently asked questions
Does this vulnerability affect my ai-goofish-monitor deployment on Linux?
The vulnerability specifically affects Windows deployments due to how os.path.join() handles absolute paths on Windows. Linux and Unix deployments may have different path handling behavior, but you should still verify your operating system and contact Usagi-org for platform-specific guidance if uncertain.
What files can an attacker read?
An attacker can read any file accessible to the application process running ai-goofish-monitor. This typically includes system files, configuration files, environment variables stored in files, log files, and any user data the application can access. The scope depends on the permissions granted to the application process.
Is this vulnerability exploitable without network authentication?
Yes. The vulnerability requires no authentication whatsoever. Any remote attacker with network access to the /api/prompts/ endpoint can exploit it. This is why immediate remediation or network isolation is critical.
Will disabling the endpoint stop the attack?
Yes. Disabling or blocking network access to the /api/prompts/ endpoint via firewall or network policies will prevent exploitation until a proper fix is applied. However, applying the upstream patch is the long-term solution.
This analysis is based on the CVE-2026-10044 public disclosure and available security information as of the publication date. Patch availability and remediation steps should be verified against the official Usagi-org advisory and security updates. Organizations should conduct their own risk assessment based on their specific deployment, data sensitivity, and network exposure. No exploit code or weaponized proof-of-concept is provided herein. Testing of patches or mitigations should be performed in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10075MEDIUMDreamMaker Path Traversal: Information Disclosure Risk
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1