CVE-2026-39981: AGiXT is a dynamic AI Agent Automation Platform. Prior to 1.9.2, the safe_join() function in the essential_abilities ext
highvulnerability
security
Summary
AGiXT, a platform for automating AI agents, has a vulnerability in its safe_join() function (a tool meant to safely combine file paths) that fails to check whether file paths stay within the agent's allowed workspace. Before version 1.9.2, an authenticated attacker could use directory traversal sequences (special path tricks like '../' to navigate outside intended folders) to read, write, or delete files on the server.
Solution / Mitigation
Update AGiXT to version 1.9.2, where this vulnerability is fixed.
Vulnerability Details
CVSS Score
8.8(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
April 9, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-39981
First tracked: April 9, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 92%