CVE-2026-53598 in Prompty
Summary
by MITRE • 07/16/2026
Prompty is a markdown file format (.prompty) for LLM prompts. Prior to 2.0.0-beta.2, Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that resolved paths stayed within the prompt directory or allowed roots, allowing an attacker-controlled prompt file to read local files through absolute paths, .. traversal, or symlink escapes. This issue is fixed in versions 2.0.0-beta.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Prompty versions prior to 2.0.0-beta.2 represents a critical path traversal and arbitrary file access flaw that fundamentally undermines the security boundaries of prompt processing systems. This vulnerability specifically affects the loader component responsible for handling ${file:...} references within .prompty frontmatter sections, where external inputs are processed without proper validation of path resolution boundaries. The flaw allows attackers to craft malicious prompt files that can traverse filesystem paths using absolute paths, directory traversal sequences like .. or symlink escapes, effectively bypassing intended security restrictions that should confine file access to designated prompt directories.
The technical implementation of this vulnerability stems from insufficient input sanitization and path validation within the loader's file resolution mechanism. When a .prompty file contains references such as ${file:/etc/passwd} or ${file:../../../etc/passwd}, the system fails to enforce that resolved paths remain within predefined safe directories, particularly those designated for prompt-related content or user-accessible root paths. This creates an arbitrary file reading capability where attackers can access sensitive files beyond the intended scope of the application's file operations, potentially exposing system configuration files, credential stores, or other sensitive data.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential privilege escalation and data exfiltration scenarios. Attackers could leverage this flaw to read system files such as /etc/shadow, configuration databases, or application secrets stored in accessible locations. The vulnerability affects any system processing prompty files that utilize the affected loader functionality, making it particularly dangerous in environments where untrusted user input is processed through prompt parsing mechanisms. This includes development environments, CI/CD pipelines, and any application stack that incorporates Prompty file handling without proper boundary enforcement.
Security mitigations for this vulnerability primarily involve upgrading to version 2.0.0-beta.2 or later, which implements proper path validation and boundary enforcement mechanisms. Additional protective measures include implementing strict file access controls, employing sandboxed execution environments for prompt processing, and validating all external references through whitelisting mechanisms that restrict file access to predefined safe directories. The fix addresses the core issue by enforcing that resolved file paths remain within designated boundaries, preventing directory traversal attacks and ensuring that absolute path references are properly validated against allowed root directories. Organizations should also consider implementing automated scanning for similar vulnerabilities in other file processing components and establishing comprehensive input validation policies for all external data sources.
This vulnerability aligns with CWE-22 Path Traversal and CWE-73 Path Traversal, representing a classic directory traversal attack vector that has been frequently exploited in various software systems. From an ATT&CK perspective, this maps to T1059 Command and Scripting Interpreter and T1566 Phishing, as attackers could use this vulnerability to exfiltrate sensitive data or establish persistent access through compromised prompt files. The remediation process should include thorough code review of all file processing components and implementation of defense-in-depth strategies that enforce principle of least privilege for file system access during prompt parsing operations.