๐Ÿ” CVE Alert

CVE-2026-59807

MEDIUM 6.8

Composio SDK < 0.2.32-beta.283 - Sensitive File Upload via tool-file-uploads.ts

CVSS Score
6.8
EPSS Score
0.3%
EPSS Percentile
21th

Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt injection to manipulate file_uploadable parameters to reference sensitive paths such as SSH private keys, causing the CLI to upload credential files to attacker-controlled storage.

CWE CWE-73
Vendor composiohq
Product composio
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for composiohq composio

Be the first to know when new medium vulnerabilities affecting composiohq composio are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

ComposioHQ / composio
0 < 0.2.32-beta.283

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ComposioHQ/composio/issues/3746 github.com: https://github.com/ComposioHQ/composio/releases/tag/%40composio%2Fcli%400.2.32-beta.283 github.com: https://github.com/ComposioHQ/composio/pull/3763 github.com: https://github.com/ComposioHQ/composio/commit/fc17c37bf95b7ece5c038cb7e2ab7e3e4a064e3a vulncheck.com: https://www.vulncheck.com/advisories/composio-sdk-beta-283-sensitive-file-upload-via-tool-file-uploads-ts

Credits

George Chen