Threat Advisory

Pipecat Runner Path Traversal Enables Arbitrary File Access

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44716 with a CVSS score of 7.5 is a path traversal vulnerability in Pipecat's development runner that exists when the runner is started with the `--folder` flag and exposes a `GET /files /{filename:path}` download endpoint. The `filename` path parameter is concatenated directly onto `args .folder` with no containment check, allowing an attacker to bypass Starlette's normalisation of literal `../` sequences in URLs by using `%2F`-encoded slashes. An attacker with network access to the runner can read any file the pipecat process has permission to access, including SSH private keys, credentials, and system files, with a single unauthenticated HTTP request. This capability allows an attacker to gain sensitive information, potentially leading to business disruption, data breaches, or unauthorized access to sensitive data, under the condition that the vulnerable Pipecat runner is accessible from the network and the attacker has network access to it.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44716 with a CVSS score of 7.5 is a path traversal vulnerability in Pipecat's development runner that exists when the runner is started with the `--folder` flag and exposes a `GET /files /{filename:path}` download endpoint. The `filename` path parameter is concatenated directly onto `args .folder` with no containment check, allowing an attacker to bypass Starlette's normalisation of literal `../` sequences in URLs by using `%2F`-encoded slashes. An attacker with network access to the runner can read any file the pipecat process has permission to access, including SSH private keys, credentials, and system files, with a single unauthenticated HTTP request. This capability allows an attacker to gain sensitive information, potentially leading to business disruption, data breaches, or unauthorized access to sensitive data, under the condition that the vulnerable Pipecat runner is accessible from the network and the attacker has network access to it.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update pipecat-ai to version 1.2.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3363-2ph6-35wh

[/emaillocker]
crossmenu