CVE-2026-59807
Composio SDK < 0.2.32-beta.283 - Sensitive File Upload via tool-file-uploads.ts
CVSS Score
6.8
EPSS Score
0.3%
EPSS Percentile
21th
Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt injection to manipulate file_uploadable parameters to reference sensitive paths such as SSH private keys, causing the CLI to upload credential files to attacker-controlled storage.
| CWE | CWE-73 |
| Vendor | composiohq |
| Product | composio |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for composiohq composio
Be the first to know when new medium vulnerabilities affecting composiohq composio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
ComposioHQ / composio
0 < 0.2.32-beta.283
References
github.com: https://github.com/ComposioHQ/composio/issues/3746 github.com: https://github.com/ComposioHQ/composio/releases/tag/%40composio%2Fcli%400.2.32-beta.283 github.com: https://github.com/ComposioHQ/composio/pull/3763 github.com: https://github.com/ComposioHQ/composio/commit/fc17c37bf95b7ece5c038cb7e2ab7e3e4a064e3a vulncheck.com: https://www.vulncheck.com/advisories/composio-sdk-beta-283-sensitive-file-upload-via-tool-file-uploads-ts
Credits
George Chen