Jovancoding/Network-AI

v5.8.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 10d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 10d

Release v5.8.4 of blackboard.py fixes an arbitrary file read/write vulnerability via the --path argument and adds runtime path‑traversal checks while blocking symlink traversal.

Why it matters: Addresses CVE‑style file access risk in CLI; upgrade to v5.8.4 immediately if using `--path`.

Summary

AI summary

Fixed arbitrary file read/write vulnerability via --path in blackboard.py (CWE-22).

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Adds runtime path-traversal check for `--path` in blackboard.py Adds runtime path-traversal check for `--path` in blackboard.py Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Security	High	Blocks symlink traversal by resolving paths before validation in blackboard.py Blocks symlink traversal by resolving paths before validation in blackboard.py Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Security	Medium	Fixes arbitrary file read/write via --path in blackboard.py Fixes arbitrary file read/write via --path in blackboard.py Source: llm_adapter@2026-05-24 Confidence: low	—
Refactor	Low	Updates `SKILL.md` capabilities.filesystem documentation to reflect enforcement Updates `SKILL.md` capabilities.filesystem documentation to reflect enforcement Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

## Network-AI v5.8.4 — blackboard.py path-traversal fix (CWE-22)

Security

Arbitrary file read/write via --path in blackboard.py (Description-Behavior Mismatch, 96% confidence)

The --path CLI argument was forwarded to SharedBlackboard without any boundary check, allowing an agent or operator to read or write arbitrary local files outside the project directory. This contradicts the documented storage boundary and could be abused to overwrite sensitive project files or operate on attacker-chosen state.

Fix: Added a runtime path-traversal check immediately after argument parsing. args.path.resolve() is tested with relative_to(project_root); any path that escapes the project directory causes the script to exit with a clear error message. Symlink traversal is also blocked because resolve() is called before the comparison. The --path help text and script header comment both document this restriction. SKILL.md capabilities.filesystem updated to reflect the enforcement.

Files changed

scripts/blackboard.py, SKILL.md, CHANGELOG.md, package.json, skill.json, openapi.yaml, README.md, and all version-bearing doc files.

Security Fixes

CVE-2024-XXXXX — Arbitrary file read/write via --path in blackboard.py (CWE-22) fixed by adding path-traversal check and enforcing project‑directory boundary.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →