CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59807

mediumCVSS 6.8covered by 1 sourcefirst seen 2026-07-08
Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to read and exfiltrate sensitive files by exploiting a missing assertSafeFileUploadPath check in the readFileFromDisk function within tool-file-uploads.ts. Attackers can exploit prompt injection to manipulate file_uploadable parameters to reference sensitive paths such as SSH private keys, causing the CLI to upload credential files to attacker-controlled storage.

⚡ Watch CVE-2026-59807

Get an email if CVE-2026-59807 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59807

CVE.org record

Embed the live status

CVE-2026-59807 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59807 status](https://www.csirts.com/badge/CVE-2026-59807)](https://www.csirts.com/cve/CVE-2026-59807)