CVE-2026-3954

Name of the Vulnerable Software and Affected Versions OpenBMB XAgent version 1.0.0

Description A flaw exists in OpenBMB XAgent that allows for path traversal. The issue is located within the workspace function of the XAgentServer/application/routers/workspace.py file. Manipulation of the file name argument can lead to unauthorized access. This issue can be exploited remotely, and a public exploit is available. The project was notified of the issue but has not yet responded.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.