Vulnerability  ·  2026-07-01

Vibe-Trading Agentic Trading Platform — Path Traversal in Proposal File Loading Enables Arbitrary File Read (CVE-2026-58170)

VulnerabilityHigh impactGlobalCVE-2026-58170
CVE-2026-58170 (CVSS 8.3 High) affects Vibe-Trading before 0.1.10. The platform builds a proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitisation in agent/src/live/mandate/commit.py. A proposal identifier containing path traversal sequences (e.g., ../../etc/passwd) causes the application to load an attacker-chosen file from the filesystem. Published 2026-06-30.
Vibe-Trading is an agentic AI trading platform where AI agents execute financial mandates. Path traversal in the mandate commit pathway allows an attacker to read arbitrary files from the server hosting the agent — including configuration files, API keys for financial brokers, and agent state files — potentially enabling financial fraud or broker credential theft.
Attacker supplies a proposal identifier containing path traversal sequences to the mandate commit endpoint; the unsanitised join causes the agent to open and process an arbitrary file path.
HKUDS/Vibe-Trading < 0.1.10
Upgrade to Vibe-Trading 0.1.10 or later. Fix commit: https://github.com/HKUDS/Vibe-Trading/commit/0ab701302f90e701c9dc558a898a217a376610c3
Sources
NVD CVE-2026-58170GitHub fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →