Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39306

CVE-2026-39306: PraisonAI Path Traversal Vulnerability

CVE-2026-39306 is a path traversal vulnerability in PraisonAI that allows attackers to write arbitrary files outside intended directories through malicious recipe bundles. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-39306 Overview

A path traversal vulnerability exists in PraisonAI, a multi-agent teams system, prior to version 1.5.113. The vulnerability stems from unsafe handling of .praison tar archives during the recipe registry pull flow. The application uses tar.extractall() without validating archive member paths before extraction, allowing attackers to write files outside the intended output directory.

A malicious publisher can craft and upload a recipe bundle containing ../ traversal entries to the registry. When any user pulls that compromised recipe, files are written to arbitrary locations on the victim's filesystem. This vulnerability affects both the local registry pull path and the HTTP registry pull path, making it a client-side arbitrary file write vulnerability with significant impact potential.

Critical Impact

Attackers can achieve arbitrary file write on victim systems by publishing malicious recipe bundles, potentially leading to code execution or system compromise when users pull the poisoned recipes.

Affected Products

  • PraisonAI versions prior to 1.5.113
  • PraisonAI local registry pull functionality
  • PraisonAI HTTP registry pull functionality

Discovery Timeline

  • April 7, 2026 - CVE-2026-39306 published to NVD
  • April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-39306

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The flaw exists in how PraisonAI processes tar archives when pulling recipes from registries.

The vulnerable code path extracts attacker-controlled .praison tar archives using Python's tar.extractall() method. This function, when used without proper safeguards, will honor relative path components like ../ within archive member names. An attacker can leverage this behavior to escape the designated extraction directory and write files to arbitrary filesystem locations.

Critically, the checksum verification mechanism does not prevent exploitation. Since the malicious traversal payload is embedded within the signed bundle itself, the archive passes integrity checks while still containing weaponized path entries. This means the security control provides a false sense of protection.

Root Cause

The root cause is the absence of path validation before extracting tar archive members. When tar.extractall() processes an archive, it trusts the embedded file paths without sanitization. The application fails to:

  1. Validate that extracted paths remain within the target directory
  2. Normalize paths to remove traversal sequences
  3. Reject archive members with suspicious path components

This is a well-known vulnerability pattern in archive extraction code, often referred to as a "Zip Slip" or "Tar Slip" attack when applied to tar archives.

Attack Vector

The attack is network-based and requires user interaction. An attacker with registry publishing privileges can:

  1. Create a malicious .praison tar archive containing files with ../ path sequences
  2. Publish this poisoned recipe bundle to the registry
  3. Wait for victims to pull the recipe using either local or HTTP registry methods
  4. Upon extraction, files are written outside the expected directory

The exploitation scenario could involve overwriting configuration files, planting malicious scripts in startup directories, or replacing legitimate binaries with trojanized versions. The attacker requires low privileges (registry publishing access) but exploitation depends on victim interaction (pulling the recipe).

The vulnerability mechanism involves crafting tar archive entries with relative path components. When the victim's PraisonAI client extracts these entries, the traversal sequences cause files to be written to unintended locations on the filesystem. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-39306

Indicators of Compromise

  • Unexpected files appearing in directories outside of PraisonAI recipe storage locations
  • Modified system configuration files or startup scripts following recipe pulls
  • Presence of ../ sequences in PraisonAI log files related to recipe extraction
  • New or modified files in home directories, /tmp, or other sensitive locations after recipe operations

Detection Strategies

  • Monitor file creation events in sensitive directories that occur during or immediately after PraisonAI recipe pull operations
  • Implement file integrity monitoring (FIM) on critical system files and configuration directories
  • Review PraisonAI recipe pull logs for suspicious archive contents or extraction errors
  • Audit registry for recipes containing path traversal patterns in their archived file entries

Monitoring Recommendations

  • Enable verbose logging for PraisonAI recipe operations to capture extraction details
  • Implement endpoint detection rules for unexpected file writes following Python process execution
  • Monitor for tar extraction operations that result in writes outside expected directories
  • Consider network monitoring to detect pulls of suspicious recipe bundles from untrusted publishers

How to Mitigate CVE-2026-39306

Immediate Actions Required

  • Upgrade PraisonAI to version 1.5.113 or later immediately
  • Audit systems for signs of compromise if recipes were pulled from untrusted publishers
  • Review file integrity on systems where PraisonAI has been used to pull third-party recipes
  • Consider restricting recipe pulls to trusted, verified publishers until patching is complete

Patch Information

The vulnerability has been addressed in PraisonAI version 1.5.113. The fix implements proper path validation before extraction, ensuring archive members cannot escape the intended output directory. Users should update to this version or later to remediate the vulnerability.

For additional details about the fix, refer to the GitHub Security Advisory.

Workarounds

  • Avoid pulling recipes from untrusted or unverified publishers until the patch is applied
  • Implement network-level controls to restrict access to untrusted recipe registries
  • Run PraisonAI in a sandboxed environment or container with limited filesystem access
  • Manually inspect .praison archive contents before extraction using tar -tvf to check for traversal patterns
bash
# Inspect archive contents before extraction
tar -tvf recipe.praison | grep -E '\.\./'

# Run PraisonAI with restricted filesystem access using Docker
docker run --read-only -v /safe/output:/output praisonai pull recipe-name

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.