Description
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.
Published: 2026-06-30
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vibe‑Trading before version 0.1.10 contains a path traversal flaw in the construction of the swarm run directory. A crafted swarm run identifier is concatenated onto the base runs directory without proper validation, enabling a missing audit of the path. The result is that the application can read arbitrary run.json files residing outside the intended directory and can overwrite existing run.json files in traversed locations. This represents a classic path traversal weakness (CWE‑22) that permits an attacker to access or modify files on the host system.

Affected Systems

The vulnerable product is Vibe‑Trading v0.1.9 and earlier, released by HKUDS. No other affected versions are listed in the authoritative CNA data.

Risk and Exploitability

The CVSS score of 2.3 indicates low complexity and limited impact in the formal metric, and the EPSS score is not available. KEV is not flagged. The vulnerability requires the ability to supply a custom run identifier via the MCP swarm tools, a capability typically available to users with access to the Vibe‑Trading system. The attack surface is therefore constrained to nodes where the swarm tools are operational, but within that scope an attacker could read or overwrite arbitrary configuration files. While the formal severity is low, the potential for unauthorized file modification warrants patching or mitigation.

Generated by OpenCVE AI on June 30, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vibe‑Trading to version 0.1.10 or later, which removes the unchecked path concatenation.
  • If upgrading is not immediately possible, implement input validation or sanitization on the swarm run identifier to prevent directory traversal before it is used to build the run path.
  • Enforce strict file‑system permissions on the runs directory, ensuring only the application’s service account can read or write files within that tree and preventing access to sensitive files outside of it.

Generated by OpenCVE AI on June 30, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.
Title Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T17:13:13.134Z

Reserved: 2026-06-29T16:03:38.521Z

Link: CVE-2026-58171

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')