Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt injection to manipulate file_uploadable parameters to reference sensitive paths such as SSH private keys, causing the CLI to upload credential files to attacker-controlled storage. | |
| Title | Composio SDK < 0.2.32-beta.283 - Sensitive File Upload via tool-file-uploads.ts | |
| First Time appeared |
Composio
Composio composio |
|
| Weaknesses | CWE-73 | |
| CPEs | cpe:2.3:a:composio:composio:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Composio
Composio composio |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-08T19:43:51.506Z
Reserved: 2026-07-07T14:39:14.062Z
Link: CVE-2026-59807
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T21:45:08Z