CVE-2026-58166
OpenBMB ChatDev - Unauthenticated Path Traversal in Upload Handler Allows Arbitrary File Write and Delete
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing path traversal sequences or an absolute path to the POST uploads session endpoint, which constructs the destination path without sanitization in save_upload_file, causing file write and cleanup operations to target attacker-chosen paths on the server filesystem.
| CWE | CWE-22 |
| Vendor | openbmb |
| Product | chatdev |
| Published | Jun 30, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for openbmb chatdev
Be the first to know when new critical vulnerabilities affecting openbmb chatdev are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
OpenBMB / ChatDev
0 โค 2.2.0
References
github.com: https://github.com/OpenBMB/ChatDev/issues/638 github.com: https://github.com/OpenBMB/ChatDev/pull/641 github.com: https://github.com/OpenBMB/ChatDev/commit/4fd4da603801766b14ad8788649cfc1ad21f99a6 vulncheck.com: https://www.vulncheck.com/advisories/openbmb-chatdev-unauthenticated-path-traversal-in-upload-handler-allows-arbitrary-file-write-and-delete
Credits
George Chen