CVE-2026-42075

CVE-2026-42075 is a path traversal vulnerability (CWE-22) affecting Evolver, a GEP-powered self-evolving engine for AI agents, in versions prior to 1.69.3. The issue resides in the skill download (fetch) command, where the --out= flag accepts user-provided paths without validation. This allows attackers to specify paths that traverse directories, enabling writes to arbitrary locations on the filesystem, such as overwriting critical system files or creating files in sensitive directories. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By providing a malicious path to the --out= flag during execution of the fetch command, such as one using directory traversal sequences (e.g., ../), they can achieve arbitrary file writes. This results in high integrity (I:H) and availability (A:H) impacts, potentially disrupting system operations or escalating control through file manipulation, though no confidentiality impact is present.

The vulnerability has been patched in Evolver version 1.69.3, as detailed in the project's GitHub release notes and security advisories (GHSA-r466-rxw4-3j9j). Security practitioners should upgrade to 1.69.3 or later to mitigate the issue, and review usage of the fetch command's --out= flag in automated or user-controlled environments.

Evolver's role as a self-evolving engine for AI agents introduces relevance to AI/ML deployments, where untrusted skill downloads could amplify risks in agentic workflows. No public evidence of real-world exploitation is available as of the CVE publication on 2026-05-04.