CVE-2026-39981: AGiXT Vulnerable to Path Traversal in safe_join()

April 8, 2026 (updated April 9, 2026)

The safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance.

References

github.com/Josh-XT/AGiXT
github.com/Josh-XT/AGiXT/releases/tag/v1.9.2
github.com/Josh-XT/AGiXT/security/advisories/GHSA-5gfj-64gh-mgmw
github.com/advisories/GHSA-5gfj-64gh-mgmw
nvd.nist.gov/vuln/detail/CVE-2026-39981

Code Behaviors & Features

Detect and mitigate CVE-2026-39981 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →