Home Usagi-org CVE-2026-10044
Back to Usagi-org

CVE-2026-10044

ai-goofish-monitor - API Service

Usagi-org CVSS 7.5 Updated May 29, 2026

Executive Risk Summary

"The ai-goofish-monitor API service contains an unauthenticated arbitrary file read vulnerability, allowing remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. This vulnerability can be exploited to expose sensitive files accessible to the application process."

Anticipated Attack Path

  1. 1. Initial Exploitation: Unauthenticated attacker sends a crafted GET request to the /api/prompts/{filename} endpoint
  2. 2. Privilege Escalation: Attacker uses absolute Windows paths or backslash-based traversal sequences to bypass the path traversal guard
  3. 3. Post-Exploitation: Attacker reads arbitrary files, potentially exposing sensitive information

Am I Vulnerable?

  • Verify if the ai-goofish-monitor API service is exposed to the internet or accessible by untrusted users
  • Check for any suspicious GET requests to the /api/prompts/{filename} endpoint
  • Monitor system logs for potential file read attempts

Operational Audit Arsenal

Target Type Windows Service
Target Asset ai-goofish-monitor.exe
Standard Path C:\Program Files\ai-goofish-monitor\

Manual Verification Required

This is a non-Windows asset (Usagi-org). Use the target asset details and official path provided above to verify your current version against the official vendor advisories listed below.

Patch Impact Forecast

Reboot Required Unlikely

Minimal, as the patch only affects the ai-goofish-monitor API service

Internal Work Notes

Unauthenticated arbitrary file read vulnerability in ai-goofish-monitor API service, requiring immediate patching to prevent potential data exposure

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttps://github.com/Usagi-org/ai-goofish-monitor/commit/f85d140b6b45029d9a0925feb96dad733b41396d
Official Advisoryhttps://github.com/Usagi-org/ai-goofish-monitor/issues/488
Official Advisoryhttps://github.com/Usagi-org/ai-goofish-monitor/pull/489
Official Advisoryhttps://www.vulncheck.com/advisories/ai-goofish-monitor-unauthenticated-arbitrary-file-read-via-get-api-prompts
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.