CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35615

CVE-2026-35615: Critical Path Traversal in PraisonAI FileTools

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 7, 2026·6 min read·29 visits

Executive Summary (TL;DR)

A logic error in PraisonAI's path validation allows attackers to bypass sandbox restrictions and access arbitrary files on the host system. Updating to version 4.5.113 resolves the issue.

PraisonAI prior to version 4.5.113 contains a critical path traversal vulnerability in the FileTools component. The vulnerability arises from an incorrect order of operations during path normalization, allowing unauthenticated remote attackers to read or write arbitrary files on the host system.

Vulnerability Overview

PraisonAI operates as a multi-agent teams system designed to automate complex workflows. The application exposes file system operations through the FileTools component. This component processes user-supplied file paths to execute operations such as reading, writing, and deleting files within a designated workspace.

A critical path traversal vulnerability, tracked as CVE-2026-35615, exists within the validate_path function of the FileTools component. The flaw belongs to the CWE-22 vulnerability class, representing an improper limitation of a pathname to a restricted directory. This occurs due to a flawed order of operations during path sanitization.

The vulnerability permits unauthenticated, remote attackers to supply crafted file paths containing traversal sequences. These sequences bypass the validation logic and resolve to absolute paths outside the intended workspace boundary. Exploitation results in arbitrary file read and write access across the host operating system.

Root Cause Analysis

The root cause of CVE-2026-35615 is an improper implementation of path validation logic. The validate_path function relies on Python's standard os.path.normpath() function to sanitize user input. The application attempts to detect traversal attacks by checking for the presence of the .. sequence within the sanitized string.

This implementation contains a fundamental logic error. The os.path.normpath() function operates by resolving and collapsing parent directory .. sequences to generate a clean, normalized path string. When an attacker provides a path like /app/data/../../etc/passwd, the function normalizes it directly to /etc/passwd.

The security check if '..' in normalized: executes immediately after normalization. Since the normpath function has already stripped all traversal sequences from the string, the condition consistently evaluates to False. The validation mechanism fails to detect the attack entirely.

Following this failed check, the function converts the normalized string to an absolute path using os.path.abspath() and returns it. The calling function then uses this path for subsequent file operations. The application executes these operations with the privileges of the running process.

Code Analysis

The vulnerable code path demonstrates the critical flaw in the sanitization sequence. The developer intended to sanitize the input first, then check the resulting string for malicious patterns. This approach fundamentally misunderstands the behavior of the normalization function.

# src/praisonai-agents/praisonaiagents/tools/file_tools.py
class FileTools:
    @staticmethod
    def validate_path(filepath: str) -> str:
        # Normalization collapses .. sequences
        normalized = os.path.normpath(filepath)
        absolute = os.path.abspath(normalized)
        
        # Validation occurs after the sequences are removed
        if '..' in normalized:
            raise ValueError(f"Path traversal detected: {filepath}")
        
        return absolute

A robust remediation requires validating the raw input before any normalization occurs. Additionally, the application must enforce a strict sandbox by verifying that the final absolute path resides within a designated base directory. The patched implementation utilizes os.path.abspath to resolve the intended base directory and the requested file path independently.

def validate_path(filepath: str, base_dir: str) -> str:
    # Check for traversal sequences in the raw input
    if '..' in filepath:
        raise ValueError("Traversal sequence detected")
        
    # Construct and verify the absolute path boundary
    absolute = os.path.abspath(os.path.join(base_dir, filepath))
    if not absolute.startswith(os.path.abspath(base_dir)):
        raise ValueError("Access outside base directory")
        
    return absolute

Exploitation and Attack Methodology

Exploitation of this vulnerability requires an attacker to interact with any PraisonAI tool that delegates path handling to FileTools. Affected functionalities include read_file, write_file, list_files, and delete_file. The attacker supplies a crafted payload containing parent directory traversal sequences.

The following proof-of-concept demonstrates the bypass mechanism. The script imports the vulnerable FileTools component and supplies a malicious path intended to target the system password file. The validation function processes the input and returns the resolved, unauthorized path.

from praisonaiagents.tools.file_tools import FileTools
 
# Malicious path intended to read /etc/passwd
malicious_path = '/tmp/../etc/passwd'
 
# The validation function returns the resolved path instead of raising an error
resolved_path = FileTools.validate_path(malicious_path)
print(f"Validated (resolved) path: {resolved_path}") 
# Output: Validated (resolved) path: /etc/passwd

The attack sequence can be visualized using the following logical flow diagram. It illustrates how the normalized path bypasses the security check.

Even with proper sequence checks on the raw string, naive implementations remain susceptible to variant attacks. Attackers can supply absolute paths directly to bypass directory prefix logic if the application does not explicitly anchor the path to the base workspace. Furthermore, os.path.abspath does not resolve symbolic links, permitting attackers to point a symlink to sensitive files if they possess write access to the workspace.

Impact Assessment

CVE-2026-35615 carries a CVSS v4.0 base score of 9.2, indicating a critical severity level. The attack vector specifies AV:N, meaning the vulnerability is exploitable over the network. The vulnerability requires no authentication (PR:N) and no user interaction (UI:N).

The primary impact applies to the confidentiality and integrity of the host system. The attacker achieves arbitrary file read capabilities, exposing sensitive configuration files, environment variables, and source code. If the application exposes file write capabilities through the same component, the attacker can overwrite arbitrary system files or inject malicious code.

The CVSS vector denotes a high impact on subsequent systems (SC:H). Unauthorized access to database credentials, API keys, or private SSH keys stored on the filesystem facilitates immediate lateral movement. This grants the attacker the ability to pivot into adjacent network segments or escalate privileges within the cloud environment.

Remediation and Mitigation

The vendor addressed this vulnerability in PraisonAI version 4.5.113. System administrators must upgrade all PraisonAI deployments to version 4.5.113 or a later release to implement the corrected path validation logic. Verification of the running version is required to ensure the patch is active.

If immediate patching is not technically feasible, administrators should apply restrictive filesystem permissions. The PraisonAI service must execute under a dedicated, unprivileged service account. This account should possess read and write access strictly limited to the intended workspace directories.

Network defenders can deploy detection signatures to identify exploitation attempts. Intrusion detection systems should inspect application payloads for sequences matching ../ or ..\ directed at PraisonAI API endpoints. Web Application Firewalls can be configured to block requests containing known critical system file paths such as /etc/passwd or win.ini in the payload body.

Technical Appendix

CVSS Score
9.2/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Systems

PraisonAI

Affected Versions Detail

Product
Affected Versions
Fixed Version
PraisonAI
MervinPraison
< v4.5.113v4.5.113
AttributeDetail
CWE IDCWE-22
Attack VectorNetwork
CVSS Score9.2
AuthenticationNone Required
Exploit StatusPublic PoC Available
CISA KEVNot Listed

MITRE ATT&CK Mapping

T1083File and Directory Discovery
Discovery
T1005Data from Local System
Collection
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Timeline

Vulnerability published in GitHub Advisory Database
2026-04-06
Patch released in PraisonAI v4.5.113
2026-04-06
CVE-2026-35615 published in NVD
2026-04-07

References & Sources

  • [1]GitHub Security Advisory GHSA-693f-pf34-72c5
  • [2]PraisonAI v4.5.113 Release Notes
  • [3]PT Security dbugs PT-2026-30763
  • [4]OSV.dev Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 1 hour ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
2 views•7 min read
•about 2 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
3 views•8 min read
•about 2 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
3 views•5 min read
•about 3 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
4 views•5 min read