Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)
Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
Security researchers have discovered a critical flaw in NLWeb, a new tool unveiled by Microsoft just over two months ago, that allows remote users to read sensitive files without authorization.
NLWeb is a so-called agentic AI tool that allows users to search web pages using a generative AI chatbot, which will remember the users’ preferences.
Ramanathan Guha, a technical fellow at Microsoft, demonstrated how this works using the website Serious Eats during Microsoft Build in May 2025.
While searching for recipes for the Hindu festival of Diwali, Guha mentioned to the chatbot that he is vegetarian. According to Guha, this means the website will only recommend vegetarian recipes when he’s searching for inspiration from now on.
So far, so useful, but it seems new and exciting tools open the door to new and exciting vulnerabilities.
The bug was discovered by Aonan Guan and Lei Wang in a security audit of the NLWeb open source repository.
According to Guan, who wrote about his discovery in a Medium post, the flaw “allowed any remote user to read sensitive files, including system configurations (/etc/passwd) and cloud credentials (.env files), using a simple, malformed URL”.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Guan identified a code block using os.path.normpath() that he said “immediately raised a red flag”.
“The function normalizes path separators but does not prevent a user from "climbing" out of the intended directory with ../ sequences. It's a classic path traversal flaw waiting to be exploited,” he noted.
Guan pointed to three separate oversights in the code that he said led to the vulnerability: improper sanitization, an expanded attack surface, and a lack of final path validation.
What’s being done about the NLWeb flaw?
While the flaw was discovered on 28 May and a vulnerability report submitted the same day, Guan has only just made his and Lei’s findings public.
Additionally, while Microsoft Security Response Center committed a patch on 30 June it confirmed to Guan on 1 July that it wouldn’t be issuing a CVE for the issue.
There is no suggestion from Guan that organizations deploying or experimenting with NLWeb should abandon their projects.
Instead he advises they:
- Update their instance immediately “to any version including or after commit 8ffdb0f from the official GitHub repository”
- Implement WAF/reverse proxy rules
- Never bind NLWeb directly to a public IP address, thus avoiding direct public exposure
- Configure monitoring systems to issue high-priority alerts for suspicious HTTP 404 or 400 error responses for URIs that have path traversal patterns
“This case study serves as a critical reminder that as we build new AI-powered systems, we must re-evaluate the impact of classic vulnerabilities, which now have the potential to compromise not just servers, but the ‘brains’ of AI agents themselves,” Guan said.
ITPro contacted Microsoft for comment on the report, but hadn’t received a response at the time of publication.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- NCSC says ‘limited number’ of UK firms affected by SharePoint attack
- SharePoint flaw: Microsoft says hackers deploying ransomware
- Warning issued after SharePoint flaw puts entire corporate networks at risk

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
-
'It’s a marker of where extortion tradecraft is heading': Cyber experts say they've identified the first case of ‘agentic ransomware’ – but there’s a catchNews While the JadePuffer ransomware has alarm bells ringing, it still needed a human in the loop
-
Three quarters of firms have halted AI projects over safety and security concerns – and cyber pros think things will deteriorate as models like Claude Mythos improveNews AI has become a leading problem for enterprise security teams, they can't automate their way out of trouble
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
IT teams are bullish on AI tools, but they’re worried security practices can’t keep paceNews Executives and IT teams are at odds over the risks associated with AI adoption
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
‘These sorts of post-compromise techniques used to be restricted to actors with the technical knowledge to carry them out’: Anthropic warns AI is helping lower the bar for up-and-coming hackersNews AI is making it harder to differentiate between high and low-skilled actors
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
