{"id":"CVE-2026-58166","summary":"OpenBMB ChatDev - Unauthenticated Path Traversal in Upload Handler Allows Arbitrary File Write and Delete","details":"OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing path traversal sequences or an absolute path to the POST uploads session endpoint, which constructs the destination path without sanitization in save_upload_file, causing file write and cleanup operations to target attacker-chosen paths on the server filesystem.","modified":"2026-07-16T03:30:48.735510252Z","published":"2026-06-30T15:51:20.900Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58166.json","cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58166.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58166"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/openbmb-chatdev-unauthenticated-path-traversal-in-upload-handler-allows-arbitrary-file-write-and-delete"},{"type":"REPORT","url":"https://github.com/OpenBMB/ChatDev/pull/641"},{"type":"FIX","url":"https://github.com/OpenBMB/ChatDev/commit/4fd4da603801766b14ad8788649cfc1ad21f99a6"},{"type":"PACKAGE","url":"https://github.com/OpenBMB/ChatDev"},{"type":"EVIDENCE","url":"https://github.com/OpenBMB/ChatDev/issues/638"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openbmb/chatdev","events":[{"introduced":"0"},{"fixed":"3c72d860d2553f05129b7dff0fd4efdde5b01d2f"},{"fixed":"4fd4da603801766b14ad8788649cfc1ad21f99a6"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.2.0"}]}}],"versions":["v2.2.0","v2.1.0","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58166.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}]}