CVE-2026-58166
OpenBMB ChatDev - Unauthenticated Path Traversal in Upload Handler Allows Arbitrary File Write and Delete
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.8EPSS 0.6%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing path traversal sequences or an absolute path to the POST uploads session endpoint, which constructs the destination path without sanitization in save_upload_file, causing file write and cleanup operations to target attacker-chosen paths on the server filesystem.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
OpenBMB · ChatDevpublic PoCs found — 1
cve_referencegithub.com/OpenBMB/ChatDev/issues/638unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/OpenBMB/ChatDev/commit/4fd4da603801766b14ad8788649cfc1ad21f99a6https://github.com/OpenBMB/ChatDev/issues/638https://github.com/OpenBMB/ChatDev/pull/641https://www.vulncheck.com/advisories/openbmb-chatdev-unauthenticated-path-traversal-in-upload-handler-allows-arbitrary-file-write-and-delete