CVE-2026-44716: Pipecat Path Traversal Vulnerability – Arbitrary File Read
Pipecat, an open-source Python framework for building voice and conversational AI agents, contains a path traversal vulnerability in its development runner. When started with the --folder flag, the runner exposes an unauthenticated file download endpoint that fails to validate user-supplied filenames. An attacker on the network can craft specially-encoded URLs to read files anywhere on the system that the Pipecat process can access—such as SSH keys, API credentials, configuration files, and system files. The vulnerability affects versions 0.0.90 through 1.1.x and has been fixed in version 1.2.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Pipecat's development runner (src/pipecat/runner/run.py) in the GET /files/{filename:path} endpoint. The filename path parameter is concatenated directly to args.folder without any path containment validation. While Starlette's URL routing normalizes literal ../ sequences, the endpoint processes %2F-encoded slashes (/) after URL decoding, allowing sequences like ..%2F..%2Fetc%2Fpasswd to traverse directories above the intended folder root. The attacker needs only network access and no authentication. This is a classic CWE-22 path traversal flaw exacerbated by the interaction between URL encoding, routing, and decoding logic.
Business impact
Organizations using Pipecat in development or testing environments face exposure of sensitive data accessible to the process—credentials, private keys, API tokens, and proprietary configuration files. If development runners are exposed to untrusted networks or run with broad file permissions, the blast radius widens significantly. The main risk is confidentiality breach; integrity and availability are not directly compromised. Development tool compromise can also serve as a beachhead for deeper network reconnaissance.
Affected systems
Pipecat versions 0.0.90 through 1.1.x are vulnerable when the development runner is started with the --folder flag. The vulnerability does not affect production deployments that do not use the development runner or that do not expose the runner to network access. Open-source projects and development teams using Pipecat for agent development are most directly affected.
Exploitability
Exploitation is trivial and requires no special tools or authentication. An attacker with network access to the runner can craft a single HTTP GET request using percent-encoded path traversal sequences to read arbitrary files. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects the high severity: the attack vector is network-based, complexity is low, no privileges or user interaction are required, and confidentiality impact is high. The vulnerability is likely already known in public security forums and proof-of-concept requests have likely surfaced.
Remediation
Upgrade Pipecat to version 1.2.0 or later immediately. If immediate upgrade is not possible, disable the --folder flag on the development runner or restrict network access to the runner using firewall rules, VPNs, or host-based access controls. Do not expose the development runner to the public internet or untrusted networks.
Patch guidance
The vendor has released version 1.2.0 as the official patch. Verify the patch is available in your package manager (pip for Python) and test the upgrade in a non-production environment first. Check Pipecat's official GitHub releases and changelog for version 1.2.0 to confirm the path traversal fix is included. If running Pipecat from source, pull the latest main branch or checkout the release tag for v1.2.0.
Detection guidance
Monitor your development runner logs for HTTP requests to /files/ endpoints with unusual path patterns, especially those containing %2F, .., or encoded special characters. If the runner is accessible via network monitoring, inspect HTTP traffic for GET requests with suspicious filenames. Review file access logs for the Pipecat process to identify reads of sensitive files (e.g., .ssh, .aws, .env files, /etc/passwd) that correlate with the runner's operation window. If you suspect compromise, audit which files were accessed and consider rotating credentials in affected directories.
Why prioritize this
This vulnerability merits immediate attention because it requires no authentication, can be exploited over the network with a single request, and directly exposes sensitive credentials and keys. The high CVSS score (7.5) reflects the ease of exploitation and severe confidentiality impact. Development tools are often overlooked in security scans, increasing the likelihood that vulnerable instances remain unpatched. However, because it requires network access and affects only the development runner (not production), organizations with proper network segmentation can lower immediate risk.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is justified by: (1) network-accessible attack vector requiring no special privileges or authentication; (2) low attack complexity—a standard HTTP request suffices; (3) high confidentiality impact—unrestricted file read access to the process's permissions; and (4) no integrity or availability impact. The score does not account for the fact that the runner must be explicitly invoked with --folder and must be network-accessible, both of which may limit real-world exposure in some organizations.
Frequently asked questions
Is my production deployment at risk if I use Pipecat?
Only if your production environment uses the development runner with the --folder flag and has network exposure to it. Standard production deployments of Pipecat using its core conversational agent libraries do not include the vulnerable runner endpoint. Review your deployment configuration to confirm whether you are using the development runner.
Do I need to rotate credentials if my runner was exposed?
Yes, immediately. If the runner was accessible on the network, assume that attackers may have read SSH keys, API tokens, database credentials, and other secrets stored in files the Pipecat process could access. Rotate all credentials that may have been exposed, revoke SSH keys, and regenerate API tokens.
Can I safely run the development runner on localhost only?
Localhost-only binding significantly reduces risk, but is safe only if you control and trust all processes on that machine. If you must use the runner, bind it to 127.0.0.1 exclusively and do not expose it via reverse proxies or SSH port forwarding without authentication. Upgrade to version 1.2.0 regardless.
Does this affect other path traversal issues in Pipecat?
This CVE addresses a specific flaw in the --folder endpoint's file download logic. While the fix in v1.2.0 patches this instance, you should review Pipecat's code and security advisories for any other path traversal or file access issues and stay current with security updates.
This analysis is based on the official CVE record and vendor advisory as of the publication date. Security teams should verify compatibility and test patches in their own environments before deploying to production. The vulnerability details and exploitability assessment are provided for educational and defensive purposes. Organizations are advised to consult Pipecat's official security channels, GitHub repository, and their own vulnerability management policies for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write