Network-AI
Repository
Release

v5.8.4 — blackboard.py path-traversal fix (CWE-22)

Published 2026-05-24 | Release notes

Arbitrary file read/write via --path in blackboard.py (Description-Behavior Mismatch, 96% confidence)

Read the release here or open the original release on GitHub.
Open release on GitHub Open changelog Open quick start Release RSS

Network-AI v5.8.4 — blackboard.py path-traversal fix (CWE-22)

Security

Arbitrary file read/write via --path in blackboard.py (Description-Behavior Mismatch, 96% confidence)

The --path CLI argument was forwarded to SharedBlackboard without any boundary check, allowing an agent or operator to read or write arbitrary local files outside the project directory. This contradicts the documented storage boundary and could be abused to overwrite sensitive project files or operate on attacker-chosen state.

Fix: Added a runtime path-traversal check immediately after argument parsing. args.path.resolve() is tested with relative_to(project_root); any path that escapes the project directory causes the script to exit with a clear error message. Symlink traversal is also blocked because resolve() is called before the comparison. The --path help text and script header comment both document this restriction. SKILL.md capabilities.filesystem updated to reflect the enforcement.

Files changed

scripts/blackboard.py, SKILL.md, CHANGELOG.md, package.json, skill.json, openapi.yaml, README.md, and all version-bearing doc files.

Release FAQ

Fast answers for operators and answer engines.

What changed in v5.8.4?

Arbitrary file read/write via --path in blackboard.py (Description-Behavior Mismatch, 96% confidence)

When was v5.8.4 published?

v5.8.4 was published on May 24, 2026.

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security