Key Information Version Version: 1.10.14 Vulnerability Description Vulnerability Type: Local File Inclusion (LFI) vulnerability Affected Component: endpoint of the gRPC server Root Cause: The function only checks if the file path ends with , without performing sufficient path validation. Attackers can append to the path to access arbitrary files. Source-Sink Analysis 1. Source: User-controlled input comes from the field in the gRPC request. 2. Processing: The function performs only a simple extension check. 3. Sink: In the call , a file is opened based on user input that has not been properly sanitized. Proof of Concept 1. Create a target file: 2. Start the Dagster gRPC server: 3. Use the following exploitation script: 4. Run the exploit script to read the file: Mitigation Fixed the path traversal vulnerability.