Description
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.
Published: 2026-05-28
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Usagi-org ai-goofish-monitor allows an attacker to read arbitrary files on Windows systems through the GET /api/prompts/{filename} endpoint. The flaw resides in an incomplete path traversal guard that only forbids forward slashes and '..' sequences. Because absolute Windows paths or backslash-based traversal strings are accepted, os.path.join removes the intended prompts directory prefix, exposing sensitive files that the application process can access. This is a classic absolute path traversal vulnerability (CWE-36) that can disclose confidential data.

Affected Systems

Affects all installations of the ai-goofish-monitor product by Usagi-org that are deployed on Windows. No specific version or patch level is mentioned in the advisory, so every released version that contains the vulnerable endpoint should be considered impacted.

Risk and Exploitability

The CVSS score of 8.2 classifies this as a high-severity vulnerability. The lack of an EPSS score indicates there is no publicly available exploitation probability data at the time of the analysis, but the vulnerability is technically simple to exploit via an unauthenticated GET request from a remote host. Since the issue is not listed in the CISA KEV catalog, it has not yet been confirmed in the wild, yet the potential to read arbitrary files warrants prompt remediation.

Generated by OpenCVE AI on May 28, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s latest patch or update that removes the insecure path handling.
  • Restrict network access to the /api/prompts endpoint via firewalls or reverse proxy rules so only authorized IP ranges can reach it.
  • Enforce authentication for the endpoint, or disable it if not needed.
  • Enable file-system level permissions to limit the application process to the prompts directory only.

Generated by OpenCVE AI on May 28, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Usagi-org
Usagi-org ai-goofish-monitor
Vendors & Products Usagi-org
Usagi-org ai-goofish-monitor

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.
Title ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Usagi-org Ai-goofish-monitor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T02:21:57.506Z

Reserved: 2026-05-28T20:52:04.733Z

Link: CVE-2026-10044

cve-icon Vulnrichment

Updated: 2026-05-30T02:21:49.647Z

cve-icon NVD

Status : Received

Published: 2026-05-28T22:16:58.453

Modified: 2026-05-30T04:17:05.463

Link: CVE-2026-10044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:44Z

Weaknesses