GHSA-3363-2ph6-35wh: Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
Summary
Pipecat's development runner has a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) in its `/files` endpoint. An attacker can use URL-encoded slashes (`%2F` instead of `/`) to bypass Starlette's (the web framework) security checks and read any file accessible to the Pipecat process, such as SSH keys or system files, without needing credentials.
Vulnerability Details
EPSS: 0.0%
Yes
May 15, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-3363-2ph6-35wh
First tracked: May 15, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%