Platform
python
Component
griptape-ai
Fixed in
0.19.5
CVE-2026-5597 describes a Path Traversal vulnerability discovered in griptape-ai, specifically affecting versions 0.19.4 through 0.19.4. This flaw allows attackers to manipulate the 'filename' argument within the ComputerTool component, potentially granting unauthorized access to files on the system. The exploit is publicly available, raising concerns about potential exploitation. The vendor has not responded to early disclosure attempts.
The primary impact of CVE-2026-5597 is the potential for unauthorized file access. By crafting malicious requests that exploit the Path Traversal vulnerability, an attacker can bypass intended access controls and read arbitrary files on the system where griptape-ai is running. This could include sensitive configuration files, source code, or even user data. The ability to execute the attack remotely significantly broadens the attack surface. Successful exploitation could lead to data breaches, system compromise, and further lateral movement within the network if the compromised system has access to other resources.
A public proof-of-concept (PoC) for CVE-2026-5597 has been published, indicating a relatively high probability of exploitation. The vulnerability has been added to the CISA KEV catalog, further highlighting its significance. Given the availability of a PoC and the lack of vendor response, organizations should prioritize remediation to prevent potential attacks.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-5597 is to upgrade to a patched version of griptape-ai as soon as it becomes available. Since the vendor has not responded, monitoring the project's repository for updates is crucial. As a temporary workaround, implement strict input validation on the 'filename' argument within the ComputerTool component, ensuring that it only accepts expected file paths. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts. Regularly review access logs for suspicious activity.
Update to a patched version of griptape-ai. The path traversal vulnerability in the tool.py file allows for remote code execution. Check the official griptape-ai sources for upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5597 is a Path Traversal vulnerability affecting griptape-ai versions 0.19.4–0.19.4, allowing attackers to access arbitrary files by manipulating the 'filename' argument.
You are affected if you are using griptape-ai version 0.19.4. Check your deployment and upgrade as soon as a patch is available.
Upgrade to a patched version of griptape-ai. Monitor the project repository for updates, as the vendor has not yet responded. Implement input validation as a temporary workaround.
A public exploit exists, indicating a high probability of active exploitation. The vulnerability is also listed on the CISA KEV catalog.
As of the current date, there is no official advisory from the griptape-ai vendor. Monitor the project's repository and community channels for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.