CVE-2026-35615: Critical Path Traversal in PraisonAI FileTools

PraisonAI operates as a multi-agent teams system designed to automate complex workflows. The application exposes file system operations through the FileTools component. This component processes user-supplied file paths to execute operations such as reading, writing, and deleting files within a designated workspace.

A critical path traversal vulnerability, tracked as CVE-2026-35615, exists within the validate_path function of the FileTools component. The flaw belongs to the CWE-22 vulnerability class, representing an improper limitation of a pathname to a restricted directory. This occurs due to a flawed order of operations during path sanitization.

The vulnerability permits unauthenticated, remote attackers to supply crafted file paths containing traversal sequences. These sequences bypass the validation logic and resolve to absolute paths outside the intended workspace boundary. Exploitation results in arbitrary file read and write access across the host operating system.

The root cause of CVE-2026-35615 is an improper implementation of path validation logic. The validate_path function relies on Python's standard os.path.normpath() function to sanitize user input. The application attempts to detect traversal attacks by checking for the presence of the .. sequence within the sanitized string.

This implementation contains a fundamental logic error. The os.path.normpath() function operates by resolving and collapsing parent directory .. sequences to generate a clean, normalized path string. When an attacker provides a path like /app/data/../../etc/passwd, the function normalizes it directly to /etc/passwd.

The security check if '..' in normalized: executes immediately after normalization. Since the normpath function has already stripped all traversal sequences from the string, the condition consistently evaluates to False. The validation mechanism fails to detect the attack entirely.

Following this failed check, the function converts the normalized string to an absolute path using os.path.abspath() and returns it. The calling function then uses this path for subsequent file operations. The application executes these operations with the privileges of the running process.

The vulnerable code path demonstrates the critical flaw in the sanitization sequence. The developer intended to sanitize the input first, then check the resulting string for malicious patterns. This approach fundamentally misunderstands the behavior of the normalization function.

# src/praisonai-agents/praisonaiagents/tools/file_tools.py
class FileTools:
    @staticmethod
    def validate_path(filepath: str) -> str:
        # Normalization collapses .. sequences
        normalized = os.path.normpath(filepath)
        absolute = os.path.abspath(normalized)
        
        # Validation occurs after the sequences are removed
        if '..' in normalized:
            raise ValueError(f"Path traversal detected: {filepath}")
        
        return absolute

A robust remediation requires validating the raw input before any normalization occurs. Additionally, the application must enforce a strict sandbox by verifying that the final absolute path resides within a designated base directory. The patched implementation utilizes os.path.abspath to resolve the intended base directory and the requested file path independently.

def validate_path(filepath: str, base_dir: str) -> str:
    # Check for traversal sequences in the raw input
    if '..' in filepath:
        raise ValueError("Traversal sequence detected")
        
    # Construct and verify the absolute path boundary
    absolute = os.path.abspath(os.path.join(base_dir, filepath))
    if not absolute.startswith(os.path.abspath(base_dir)):
        raise ValueError("Access outside base directory")
        
    return absolute

Exploitation of this vulnerability requires an attacker to interact with any PraisonAI tool that delegates path handling to FileTools. Affected functionalities include read_file, write_file, list_files, and delete_file. The attacker supplies a crafted payload containing parent directory traversal sequences.

The following proof-of-concept demonstrates the bypass mechanism. The script imports the vulnerable FileTools component and supplies a malicious path intended to target the system password file. The validation function processes the input and returns the resolved, unauthorized path.

from praisonaiagents.tools.file_tools import FileTools
 
# Malicious path intended to read /etc/passwd
malicious_path = '/tmp/../etc/passwd'
 
# The validation function returns the resolved path instead of raising an error
resolved_path = FileTools.validate_path(malicious_path)
print(f"Validated (resolved) path: {resolved_path}") 
# Output: Validated (resolved) path: /etc/passwd

The attack sequence can be visualized using the following logical flow diagram. It illustrates how the normalized path bypasses the security check.

Even with proper sequence checks on the raw string, naive implementations remain susceptible to variant attacks. Attackers can supply absolute paths directly to bypass directory prefix logic if the application does not explicitly anchor the path to the base workspace. Furthermore, os.path.abspath does not resolve symbolic links, permitting attackers to point a symlink to sensitive files if they possess write access to the workspace.

CVE-2026-35615 carries a CVSS v4.0 base score of 9.2, indicating a critical severity level. The attack vector specifies AV:N, meaning the vulnerability is exploitable over the network. The vulnerability requires no authentication (PR:N) and no user interaction (UI:N).

The primary impact applies to the confidentiality and integrity of the host system. The attacker achieves arbitrary file read capabilities, exposing sensitive configuration files, environment variables, and source code. If the application exposes file write capabilities through the same component, the attacker can overwrite arbitrary system files or inject malicious code.

The CVSS vector denotes a high impact on subsequent systems (SC:H). Unauthorized access to database credentials, API keys, or private SSH keys stored on the filesystem facilitates immediate lateral movement. This grants the attacker the ability to pivot into adjacent network segments or escalate privileges within the cloud environment.

The vendor addressed this vulnerability in PraisonAI version 4.5.113. System administrators must upgrade all PraisonAI deployments to version 4.5.113 or a later release to implement the corrected path validation logic. Verification of the running version is required to ensure the patch is active.

If immediate patching is not technically feasible, administrators should apply restrictive filesystem permissions. The PraisonAI service must execute under a dedicated, unprivileged service account. This account should possess read and write access strictly limited to the intended workspace directories.

Network defenders can deploy detection signatures to identify exploitation attempts. Intrusion detection systems should inspect application payloads for sequences matching ../ or ..\ directed at PraisonAI API endpoints. Web Application Firewalls can be configured to block requests containing known critical system file paths such as /etc/passwd or win.ini in the payload body.