oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE

From: Ali Raza <aliraza () bluerock io>
Date: Tue, 27 Jan 2026 15:52:22 +0500
---------- Forwarded message ---------
From: Yuvaraj Shanmugam <yuvi () agno com>
Date: Thu, Jan 8, 2026 at 7:49 PM
Subject: Re: Found a Critical Vulnerability in Agno's PythonTools
To: Ali Raza <aliraza () bluerock io>
Cc: <support () agno com>


Hi Ali,

Thank you for sharing this critical vulnerability report regarding
PythonTools and for providing the detailed proof-of-concept.

We appreciate you bringing this to our attention!


Best,
Yuvaraj


On Wed, 7 Jan 2026 at 10:14, 'Ali Raza' via Agno Support <support () agno com>
wrote:


Hi Team,

Happy New Year!

We have identified and confirmed a critical path traversal vulnerability
that leads to sensitive information disclosure and potential Remote Code
Execution (RCE).

Specifically, PythonTools in libs/agno/agno/tools/python.py constructs
file paths using self.base_dir.joinpath(file_name) without validating that
the resolved path remains within base_dir. An attacker controlling the tool
input (either directly or via an agent prompt) can use ../ to traverse the
file system to read, write, or execute files.

Please see the attached proof-of-concept code snippet, which utilizes
existing cookbook examples to demonstrate this issue.
[image: image.png]

We intend to post a detailed advisory report on GitHub under the
repository's security advisories, provide a patch, and request a CVE number.

Please let us know if you require any additional information from us.

Best regards,

Ali Raza (a.k.a locus-x64)
Vulnerability Researcher
[image: image.png]


------------------------------
Hi Team,

I am forwarding details regarding a critical path traversal vulnerability
identified in Agno's PythonTools.

The vulnerability resides in libs/agno/agno/tools/python.py, where file
paths are constructed using self.base_dir.joinpath(file_name) without
proper validation. This allows an attacker to traverse the file system to
read, write, or execute files.

Please note that a patch has already been implemented by the maintainers in
the following commit:
https://github.com/agno-agi/agno/commit/710d7e7f846f93b7a3eadfd3e77075428c39e803

We are currently waiting for a CVE to be assigned to this issue.

Best,

Ali Raza
Vulnerability Researcher

Previous By Date Next
Previous By Thread Next

Current thread: