DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V2X6-WWFW-R2RQ: GHSA-v2x6-wwfw-r2rq: Path Traversal and Parameter Injection in Agentgateway

#security #cve #cybersecurity #ghsa

GHSA-v2x6-wwfw-r2rq: Path Traversal and Parameter Injection in Agentgateway

Vulnerability ID: GHSA-V2X6-WWFW-R2RQ
CVSS Score: 8.1
Published: 2026-03-05

A critical input validation vulnerability exists in Agentgateway, a proxy for AI agents and Model Context Protocol (MCP) servers. The flaw occurs within the component responsible for translating MCP tools/call requests into upstream OpenAPI HTTP requests. Due to a lack of sanitization and URL encoding, attackers can manipulate the structure of the upstream request. This allows for path traversal attacks to access unauthorized endpoints, query parameter injection to alter application logic, and header injection to spoof identity or bypass security controls. The vulnerability affects all versions prior to the patch released on January 28, 2026.

TL;DR

Agentgateway failed to properly sanitize or encode user inputs when proxying requests from AI agents to upstream APIs. This allows attackers to perform path traversal (../), inject query parameters, and manipulate HTTP headers. Fixed in commit 9a52875.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Improper Input Validation
  • CWE ID: CWE-20 / CWE-74
  • Attack Vector: Network (Remote)
  • CVSS Estimate: 8.1 (High)
  • Impact: Path Traversal, Parameter Injection
  • Platform: Rust

Affected Systems

  • Agentgateway (Rust Crate)
  • AI Agent implementations using Agentgateway for MCP support
  • agentgateway: < 2026-01-28 (Commit 9a52875) (Fixed in: Commit 9a52875)

Code Analysis

Commit: 9a52875

Fixed missing parameter sanitization in MCP to OpenAPI conversion

Diff adds percent-encoding and header allow-listing logic
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Software Update
  • Input Validation
  • Schema Hardening

Remediation Steps:

  1. Update agentgateway immediately to a version including commit 9a5287569d892e77a8be8c3bb7bf3d7744244274 or later.
  2. Audit existing OpenAPI schemas used by the agent to ensure strict typing for all parameters (e.g., ensuring numeric IDs are actually typed as integers).
  3. If immediate patching is not possible, implement a Web Application Firewall (WAF) rule in front of the proxy to block requests containing path traversal sequences (../, %2e%2e%2f) or suspicious query characters in parameter values.

References

Read the full report for GHSA-V2X6-WWFW-R2RQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)