Vulnerability  ·  2026-07-02

Vibe-Trading — MCP Swarm Run Directory Path Traversal Allows Arbitrary Run Metadata Read

VulnerabilityMedium impactGlobalCVE-2026-58171
CVE-2026-58171 (CVSS 4.2 Medium), published 2026-06-30, is a companion path traversal to CVE-2026-58170, affecting the swarm store's run directory resolution. The impact is limited to reading run metadata files rather than arbitrary filesystem write.
Although lower severity than its companion CVEs, run metadata in an agentic trading system may include sensitive information about active trading strategies, agent state, and task parameters. Part of the same trifecta of path issues fixed in Vibe-Trading 0.1.10.
The run_dir function in agent/src/swarm/store.py constructs a run directory path by joining a caller-supplied run identifier onto the runs base directory without validation. A crafted run identifier with path traversal sequences causes the application to read run.json files outside the intended runs directory.
HKUDS Vibe-Trading before 0.1.10
Upgrade to Vibe-Trading 0.1.10. Fix commit: https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
Sources
NVD CVE-2026-58171GitHub fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →