Path Traversal Vulnerability in Pipecat Framework for Voice Agents
CVE-2026-44716
7.5HIGH
What is CVE-2026-44716?
Pipecat, an open-source Python framework for developing conversational agents, is prone to a path traversal vulnerability in its development runner. This vulnerability allows a malicious user to manipulate the filename path parameter within the GET /files/{filename:path} download endpoint, exposing sensitive files on the server. By using the --folder flag, an attacker can send an unauthenticated HTTP request to access files beyond the intended directory, potentially gaining access to SSH private keys, credentials, and other critical system files. This security issue was addressed in Pipecat version 1.2.0.
Affected Version(s)
pipecat >= 0.0.90, < 1.2.0
