๐Ÿ” CVE Alert

CVE-2026-53535

UNKNOWN 0.0

Activepieces: Arbitrary file write in git-sync via path traversal and symlinks

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Activepieces is an open source AI workflow automation platform. Prior to 0.82.0, the git-sync feature clones a user-configured Git repository into a temporary directory on the server and then writes flow, table, and connection state into it before pushing back, and two separate weaknesses allowed those writes to escape the intended workspace and land on arbitrary paths on the host filesystem: Git's symbolic-link handling was not disabled on the clone, so an attacker who controlled the remote repository could include symlinks that redirected the writes, and several user-supplied identifiers used to build on-disk paths (the repository slug and the externalId of tables, flows, and connections) were not validated against directory-traversal sequences such as ../. On a self-hosted Enterprise Edition deployment, a user authorized to configure or push to a git-sync repository (holding the WRITE_PROJECT_RELEASE permission) could cause the server to overwrite files anywhere the Activepieces process user can write, which depending on host layout can be leveraged for tampering, denial of service, or remote code execution. This issue is fixed in version 0.82.0.

CWE CWE-22 CWE-59
Vendor activepieces
Product activepieces
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for activepieces activepieces

Be the first to know when new unknown vulnerabilities affecting activepieces activepieces are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

activepieces / activepieces
< 0.82.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/activepieces/activepieces/security/advisories/GHSA-qqcr-rg2x-97mm github.com: https://github.com/activepieces/activepieces/pull/12711 github.com: https://github.com/activepieces/activepieces/commit/01bd4ef76fc1ad1bf7adc10c39ece4f624da6bf5 github.com: https://github.com/activepieces/activepieces/releases/tag/0.82.0