Description
A flaw has been found in griptape-ai griptape 0.19.4. This affects an unknown part of the file griptape\tools\computer\tool.py of the component ComputerTool. Executing a manipulation of the argument filename can lead to path traversal. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal Leading to Remote File Access
Action: Patch
AI Analysis

Impact

A flaw in griptape-ai's ComputerTool component (tool.py) allows an attacker to supply a specially crafted filename argument that causes the application to resolve file paths outside the intended directory. This path traversal can reveal or modify sensitive files and, if the tool is exposed via an API, the vulnerability can be exploited remotely. The vendor has not yet released a fix and has not responded to early disclosure attempts, leaving affected deployments exposed to published attacks.

Affected Systems

The vulnerability is present in griptape-ai's griptape version 0.19.4. Any environment running this specific release is vulnerable; no information is available about other affected versions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, yet the exploit is publicly available and can be launched remotely. Systems that expose the ComputerTool endpoint to external users face a higher risk, while internally restricted deployments may still be susceptible if not adequately protected.

Generated by OpenCVE AI on April 6, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply a newer griptape release that includes the path‑traversal fix. If no patch is available, consider upgrading to a secure version when it becomes available. Disable or restrict external access to the ComputerTool interface until a patch can be deployed. After the upgrade or restriction, audit any code paths that pass filenames to the ComputerTool and implement strict path validation and sanitation.

Generated by OpenCVE AI on April 6, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Griptape-ai
Griptape-ai griptape
Vendors & Products Griptape-ai
Griptape-ai griptape

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in griptape-ai griptape 0.19.4. This affects an unknown part of the file griptape\tools\computer\tool.py of the component ComputerTool. Executing a manipulation of the argument filename can lead to path traversal. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title griptape-ai griptape ComputerTool tool.py path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Griptape-ai Griptape
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T15:35:44.170Z

Reserved: 2026-04-05T05:17:02.848Z

Link: CVE-2026-5597

cve-icon Vulnrichment

Updated: 2026-04-06T15:35:34.504Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T22:16:01.847

Modified: 2026-06-17T10:59:20.320

Link: CVE-2026-5597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')