CVE-2026-39306 Overview
A path traversal vulnerability exists in PraisonAI, a multi-agent teams system, prior to version 1.5.113. The vulnerability stems from unsafe handling of .praison tar archives during the recipe registry pull flow. The application uses tar.extractall() without validating archive member paths before extraction, allowing attackers to write files outside the intended output directory.
A malicious publisher can craft and upload a recipe bundle containing ../ traversal entries to the registry. When any user pulls that compromised recipe, files are written to arbitrary locations on the victim's filesystem. This vulnerability affects both the local registry pull path and the HTTP registry pull path, making it a client-side arbitrary file write vulnerability with significant impact potential.
Critical Impact
Attackers can achieve arbitrary file write on victim systems by publishing malicious recipe bundles, potentially leading to code execution or system compromise when users pull the poisoned recipes.
Affected Products
- PraisonAI versions prior to 1.5.113
- PraisonAI local registry pull functionality
- PraisonAI HTTP registry pull functionality
Discovery Timeline
- April 7, 2026 - CVE-2026-39306 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39306
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The flaw exists in how PraisonAI processes tar archives when pulling recipes from registries.
The vulnerable code path extracts attacker-controlled .praison tar archives using Python's tar.extractall() method. This function, when used without proper safeguards, will honor relative path components like ../ within archive member names. An attacker can leverage this behavior to escape the designated extraction directory and write files to arbitrary filesystem locations.
Critically, the checksum verification mechanism does not prevent exploitation. Since the malicious traversal payload is embedded within the signed bundle itself, the archive passes integrity checks while still containing weaponized path entries. This means the security control provides a false sense of protection.
Root Cause
The root cause is the absence of path validation before extracting tar archive members. When tar.extractall() processes an archive, it trusts the embedded file paths without sanitization. The application fails to:
- Validate that extracted paths remain within the target directory
- Normalize paths to remove traversal sequences
- Reject archive members with suspicious path components
This is a well-known vulnerability pattern in archive extraction code, often referred to as a "Zip Slip" or "Tar Slip" attack when applied to tar archives.
Attack Vector
The attack is network-based and requires user interaction. An attacker with registry publishing privileges can:
- Create a malicious .praison tar archive containing files with ../ path sequences
- Publish this poisoned recipe bundle to the registry
- Wait for victims to pull the recipe using either local or HTTP registry methods
- Upon extraction, files are written outside the expected directory
The exploitation scenario could involve overwriting configuration files, planting malicious scripts in startup directories, or replacing legitimate binaries with trojanized versions. The attacker requires low privileges (registry publishing access) but exploitation depends on victim interaction (pulling the recipe).
The vulnerability mechanism involves crafting tar archive entries with relative path components. When the victim's PraisonAI client extracts these entries, the traversal sequences cause files to be written to unintended locations on the filesystem. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39306
Indicators of Compromise
- Unexpected files appearing in directories outside of PraisonAI recipe storage locations
- Modified system configuration files or startup scripts following recipe pulls
- Presence of ../ sequences in PraisonAI log files related to recipe extraction
- New or modified files in home directories, /tmp, or other sensitive locations after recipe operations
Detection Strategies
- Monitor file creation events in sensitive directories that occur during or immediately after PraisonAI recipe pull operations
- Implement file integrity monitoring (FIM) on critical system files and configuration directories
- Review PraisonAI recipe pull logs for suspicious archive contents or extraction errors
- Audit registry for recipes containing path traversal patterns in their archived file entries
Monitoring Recommendations
- Enable verbose logging for PraisonAI recipe operations to capture extraction details
- Implement endpoint detection rules for unexpected file writes following Python process execution
- Monitor for tar extraction operations that result in writes outside expected directories
- Consider network monitoring to detect pulls of suspicious recipe bundles from untrusted publishers
How to Mitigate CVE-2026-39306
Immediate Actions Required
- Upgrade PraisonAI to version 1.5.113 or later immediately
- Audit systems for signs of compromise if recipes were pulled from untrusted publishers
- Review file integrity on systems where PraisonAI has been used to pull third-party recipes
- Consider restricting recipe pulls to trusted, verified publishers until patching is complete
Patch Information
The vulnerability has been addressed in PraisonAI version 1.5.113. The fix implements proper path validation before extraction, ensuring archive members cannot escape the intended output directory. Users should update to this version or later to remediate the vulnerability.
For additional details about the fix, refer to the GitHub Security Advisory.
Workarounds
- Avoid pulling recipes from untrusted or unverified publishers until the patch is applied
- Implement network-level controls to restrict access to untrusted recipe registries
- Run PraisonAI in a sandboxed environment or container with limited filesystem access
- Manually inspect .praison archive contents before extraction using tar -tvf to check for traversal patterns
# Inspect archive contents before extraction
tar -tvf recipe.praison | grep -E '\.\./'
# Run PraisonAI with restricted filesystem access using Docker
docker run --read-only -v /safe/output:/output praisonai pull recipe-name
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
