What happened
CVE-2026-58171 (CVSS 4.2 Medium), published 2026-06-30, is a companion path traversal to CVE-2026-58170, affecting the swarm store's run directory resolution. The impact is limited to reading run metadata files rather than arbitrary filesystem write.
Why it matters
Although lower severity than its companion CVEs, run metadata in an agentic trading system may include sensitive information about active trading strategies, agent state, and task parameters. Part of the same trifecta of path issues fixed in Vibe-Trading 0.1.10.
Attack vector
The run_dir function in agent/src/swarm/store.py constructs a run directory path by joining a caller-supplied run identifier onto the runs base directory without validation. A crafted run identifier with path traversal sequences causes the application to read run.json files outside the intended runs directory.
Affected systems
HKUDS Vibe-Trading before 0.1.10
Mitigation
Upgrade to Vibe-Trading 0.1.10. Fix commit: https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab