Apr 7, 2026·6 min read·29 visits
A logic error in PraisonAI's path validation allows attackers to bypass sandbox restrictions and access arbitrary files on the host system. Updating to version 4.5.113 resolves the issue.
PraisonAI prior to version 4.5.113 contains a critical path traversal vulnerability in the FileTools component. The vulnerability arises from an incorrect order of operations during path normalization, allowing unauthenticated remote attackers to read or write arbitrary files on the host system.
PraisonAI operates as a multi-agent teams system designed to automate complex workflows. The application exposes file system operations through the FileTools component. This component processes user-supplied file paths to execute operations such as reading, writing, and deleting files within a designated workspace.
A critical path traversal vulnerability, tracked as CVE-2026-35615, exists within the validate_path function of the FileTools component. The flaw belongs to the CWE-22 vulnerability class, representing an improper limitation of a pathname to a restricted directory. This occurs due to a flawed order of operations during path sanitization.
The vulnerability permits unauthenticated, remote attackers to supply crafted file paths containing traversal sequences. These sequences bypass the validation logic and resolve to absolute paths outside the intended workspace boundary. Exploitation results in arbitrary file read and write access across the host operating system.
The root cause of CVE-2026-35615 is an improper implementation of path validation logic. The validate_path function relies on Python's standard os.path.normpath() function to sanitize user input. The application attempts to detect traversal attacks by checking for the presence of the .. sequence within the sanitized string.
This implementation contains a fundamental logic error. The os.path.normpath() function operates by resolving and collapsing parent directory .. sequences to generate a clean, normalized path string. When an attacker provides a path like /app/data/../../etc/passwd, the function normalizes it directly to /etc/passwd.
The security check if '..' in normalized: executes immediately after normalization. Since the normpath function has already stripped all traversal sequences from the string, the condition consistently evaluates to False. The validation mechanism fails to detect the attack entirely.
Following this failed check, the function converts the normalized string to an absolute path using os.path.abspath() and returns it. The calling function then uses this path for subsequent file operations. The application executes these operations with the privileges of the running process.
The vulnerable code path demonstrates the critical flaw in the sanitization sequence. The developer intended to sanitize the input first, then check the resulting string for malicious patterns. This approach fundamentally misunderstands the behavior of the normalization function.
# src/praisonai-agents/praisonaiagents/tools/file_tools.py
class FileTools:
@staticmethod
def validate_path(filepath: str) -> str:
# Normalization collapses .. sequences
normalized = os.path.normpath(filepath)
absolute = os.path.abspath(normalized)
# Validation occurs after the sequences are removed
if '..' in normalized:
raise ValueError(f"Path traversal detected: {filepath}")
return absoluteA robust remediation requires validating the raw input before any normalization occurs. Additionally, the application must enforce a strict sandbox by verifying that the final absolute path resides within a designated base directory. The patched implementation utilizes os.path.abspath to resolve the intended base directory and the requested file path independently.
def validate_path(filepath: str, base_dir: str) -> str:
# Check for traversal sequences in the raw input
if '..' in filepath:
raise ValueError("Traversal sequence detected")
# Construct and verify the absolute path boundary
absolute = os.path.abspath(os.path.join(base_dir, filepath))
if not absolute.startswith(os.path.abspath(base_dir)):
raise ValueError("Access outside base directory")
return absoluteExploitation of this vulnerability requires an attacker to interact with any PraisonAI tool that delegates path handling to FileTools. Affected functionalities include read_file, write_file, list_files, and delete_file. The attacker supplies a crafted payload containing parent directory traversal sequences.
The following proof-of-concept demonstrates the bypass mechanism. The script imports the vulnerable FileTools component and supplies a malicious path intended to target the system password file. The validation function processes the input and returns the resolved, unauthorized path.
from praisonaiagents.tools.file_tools import FileTools
# Malicious path intended to read /etc/passwd
malicious_path = '/tmp/../etc/passwd'
# The validation function returns the resolved path instead of raising an error
resolved_path = FileTools.validate_path(malicious_path)
print(f"Validated (resolved) path: {resolved_path}")
# Output: Validated (resolved) path: /etc/passwdThe attack sequence can be visualized using the following logical flow diagram. It illustrates how the normalized path bypasses the security check.
Even with proper sequence checks on the raw string, naive implementations remain susceptible to variant attacks. Attackers can supply absolute paths directly to bypass directory prefix logic if the application does not explicitly anchor the path to the base workspace. Furthermore, os.path.abspath does not resolve symbolic links, permitting attackers to point a symlink to sensitive files if they possess write access to the workspace.
CVE-2026-35615 carries a CVSS v4.0 base score of 9.2, indicating a critical severity level. The attack vector specifies AV:N, meaning the vulnerability is exploitable over the network. The vulnerability requires no authentication (PR:N) and no user interaction (UI:N).
The primary impact applies to the confidentiality and integrity of the host system. The attacker achieves arbitrary file read capabilities, exposing sensitive configuration files, environment variables, and source code. If the application exposes file write capabilities through the same component, the attacker can overwrite arbitrary system files or inject malicious code.
The CVSS vector denotes a high impact on subsequent systems (SC:H). Unauthorized access to database credentials, API keys, or private SSH keys stored on the filesystem facilitates immediate lateral movement. This grants the attacker the ability to pivot into adjacent network segments or escalate privileges within the cloud environment.
The vendor addressed this vulnerability in PraisonAI version 4.5.113. System administrators must upgrade all PraisonAI deployments to version 4.5.113 or a later release to implement the corrected path validation logic. Verification of the running version is required to ensure the patch is active.
If immediate patching is not technically feasible, administrators should apply restrictive filesystem permissions. The PraisonAI service must execute under a dedicated, unprivileged service account. This account should possess read and write access strictly limited to the intended workspace directories.
Network defenders can deploy detection signatures to identify exploitation attempts. Intrusion detection systems should inspect application payloads for sequences matching ../ or ..\ directed at PraisonAI API endpoints. Web Application Firewalls can be configured to block requests containing known critical system file paths such as /etc/passwd or win.ini in the payload body.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
PraisonAI MervinPraison | < v4.5.113 | v4.5.113 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| Attack Vector | Network |
| CVSS Score | 9.2 |
| Authentication | None Required |
| Exploit Status | Public PoC Available |
| CISA KEV | Not Listed |
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.
A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.