Description
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pipecat’s development runner exposes a GET /files endpoint when started with the --folder flag. The filename path is concatenated directly onto the folder path without containment checks. Because Starlette normalises literal '..' sequences after routing, but %2F-encoded slashes are decoded after routing, an attacker can craft a request such as /files/..%2F..%2Fetc%2Fpasswd to read files two levels above the configured folder. The result is that any file the pipecat process can read, including SSH private keys and system configuration files, becomes available to an unauthenticated user. This allows an attacker to compromise confidentiality and potentially leverage the accessed data for further exploits.

Affected Systems

The vulnerability exists in the open‑source Pipecat framework provided by pipecat-ai. Version ranges 0.0.90 through 1.1.x (inclusive) are affected because the development runner (src/pipecat/runner/run.py) contains the unchecked path concatenation. The issue was fixed in version 1.2.0, which removes the vulnerable endpoint when the --folder option is omitted or otherwise restricts file access.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalogue. Because the endpoint is an HTTP GET request with no authentication, an attacker who can reach the Pipecat runner over the network can exploit the flaw immediately. The primary risk is arbitrary file read, potentially exposing sensitive system credentials and private keys that the service process can access.

Generated by OpenCVE AI on June 10, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pipecat to version 1.2.0 or later, which removes the vulnerable /files endpoint and introduces proper path validation.
  • If upgrading is not immediately possible, do not start the runner with the --folder flag or remove the /files endpoint entirely; this eliminates the unauthenticated file read surface.
  • Apply network segmentation or firewall rules to restrict external access to the Pipecat development runner so that only trusted internal hosts can reach its HTTP interface.

Generated by OpenCVE AI on June 10, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3363-2ph6-35wh Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Pipecat-ai
Pipecat-ai pipecat
Vendors & Products Pipecat-ai
Pipecat-ai pipecat

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access — including SSH private keys, credentials, and system files — with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0.
Title Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Pipecat-ai Pipecat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:07:25.868Z

Reserved: 2026-05-07T17:07:09.319Z

Link: CVE-2026-44716

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.110

Modified: 2026-06-10T00:16:53.110

Link: CVE-2026-44716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses