Pipecat Runner Lets Paths Slip the Guardrail (CVE-2026-44716)

Key Takeaways

• CVE-2026-44716 affects Pipecat versions 0.0.90 to before 1.2.0.
• The flaw sits in the runner /files endpoint when the --folder flag is used.
• Encoded path separators could bypass normalization and read files outside the intended folder.
• The issue was patched in Pipecat 1.2.0.

Summary

Pipecat CVE-2026-44716 is a path traversal vulnerability in a framework used to build real-time voice and multimodal AI agents. Although the bug is a traditional arbitrary file read flaw, its placement inside AI agent infrastructure makes it relevant to AI runtime security and agent governance.

What We Know

The GitHub Advisory Database published CVE-2026-44716 for Pipecat, describing a path traversal issue in the Pipecat runner’s /files endpoint when started with the --folder flag. The GitHub Advisory states that an attacker with network access to the runner could read any file the Pipecat process could access, including SSH private keys, credentials, and system files. OpenCVE lists affected versions from 0.0.90 to before 1.2.0 and reports a CVSS 3.1 score of 7.5. CVEFeed explains that URL-encoded slash separators could bypass normal path handling and escape the intended directory. This belongs in the AI incident tracker because Pipecat is an AI framework for real-time voice and multimodal agents, and exposed runner infrastructure can hold sensitive agent secrets.

What Could Happen

The vulnerability occurs when the runner serves files from a configured folder but fails to enforce a strict containment check after decoding the path parameter. Literal directory traversal may be normalized by the web framework, but encoded separators can be decoded later and resolve outside the intended root. The result is unauthenticated arbitrary file read with network access. This is not a prompt injection or model compromise. It is a classic path traversal flaw appearing in an AI framework component. The AI-specific risk comes from the deployment context. Multimodal agents often need API keys, cloud credentials, speech provider secrets, model tokens, and local configuration files. If a runner is exposed during development or testing, those files may be reachable. Once credentials are stolen, attackers can pivot into model endpoints, agent tools, or enterprise data sources used by the AI workflow.

Why It Matters

Pipecat shows that AI security cannot be separated from ordinary application security. A small file-serving endpoint in an agent framework can expose secrets that allow broader compromise of AI systems. The affected data may include SSH keys, service credentials, environment files, certificates, or agent configuration. For enterprises experimenting with voice agents and multimodal assistants, development runners are especially risky because they may be deployed quickly, exposed temporarily, or assumed to be internal. Regulatory and privacy concerns arise if the exposed files include customer data, logs, or credentials for systems that process sensitive information. The incident also reinforces the importance of inventorying AI frameworks and versions. Security teams need to know not only which models are deployed, but which supporting runners, middleware, and developer tools are reachable.

PointGuard AI Perspective

PointGuard AI helps reduce exposure from AI framework flaws by giving teams visibility into where AI applications, agents, and supporting services are running. The AI Runtime Protection glossary explains why active AI workflows require continuous protection beyond model development. The PointGuard AI Agent Control Plane can help govern agent identity and action scope so a compromised runner does not automatically translate into unrestricted tool access. For systems connected through tools or MCP, the PointGuard AI MCP Security Gateway adds policy enforcement and auditability between agents and enterprise resources. Pipecat-style flaws also demonstrate the value of connecting posture management with runtime controls. PointGuard AI can help teams identify exposed agent infrastructure, apply least privilege to credentials, monitor suspicious access, and prevent unauthorized data flows when an underlying framework bug appears. As AI teams move from prototypes to production voice and multimodal systems, these controls become essential to keep experimentation from becoming an unmanaged attack surface.

Incident Scorecard Details

Total AISSI Score: 6.2/10

Criticality = 7.5, Arbitrary file read can expose credentials and system files from AI runner hosts., AISSI weighting: 25%

Propagation = 5.0, The flaw is limited to affected Pipecat runner deployments with network exposure., AISSI weighting: 20%

Exploitability = 6.0, Unauthenticated network exploitation is described, with no broad exploitation confirmed., AISSI weighting: 15%

Supply Chain = 7.0, Risk originates in an open-source AI framework dependency., AISSI weighting: 15%

Business Impact = 5.5, High-risk exposure exists, but realized customer impact has not been reported., AISSI weighting: 25%

Sources

• GitHub Advisory Database: CVE-2026-44716
• OpenCVE: CVE-2026-44716
• CVEFeed: CVE-2026-44716
• AI Runtime Protection glossary
• PointGuard AI Agent Control Plane
• PointGuard AI MCP Security Gateway