CVE-2026-39307 Overview
CVE-2026-39307 is a Zip Slip path traversal vulnerability in PraisonAI, a multi-agent teams system maintained by MervinPraison. Versions prior to 1.5.113 are affected. The flaw exists in the templates installation feature, which downloads and extracts archives from external sources such as GitHub. The application invokes Python's zipfile.extractall() without validating whether archive entries resolve outside the intended extraction directory. Attackers can craft a malicious template archive containing entries with ../ path traversal sequences to write arbitrary files anywhere the PraisonAI process has write access. The issue is fixed in version 1.5.113.
Critical Impact
Arbitrary file write outside the extraction directory can lead to remote code execution by overwriting configuration files, Python modules, or startup scripts on the host running PraisonAI.
Affected Products
- PraisonAI versions prior to 1.5.113
- Component: praison:praisonai
- Vendor: Praison (MervinPraison)
Discovery Timeline
- 2026-04-07 - CVE-2026-39307 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-39307
Vulnerability Analysis
The vulnerability is classified as a path traversal weakness [CWE-22]. PraisonAI's template installation workflow retrieves ZIP archives from external repositories and extracts them locally. The extraction routine relies on Python's zipfile.extractall() without sanitizing or validating archive member names.
A malicious archive can include entries with relative path components such as ../../etc/cron.d/payload or absolute paths. When extracted, these entries are written outside the target directory. This pattern is commonly referred to as Zip Slip and was originally documented by Snyk in 2018.
The vulnerability requires user interaction. A victim must invoke the template installation feature against an attacker-controlled archive. No authentication is required against the PraisonAI instance itself. The impact is limited to integrity and availability, with no direct confidentiality exposure noted in the advisory.
Root Cause
The root cause is the unsafe use of zipfile.extractall() on untrusted archives. Python's standard library does not validate that resolved member paths stay within the destination directory. Developers must implement that check explicitly, typically by resolving each member against the target directory and rejecting paths that escape it.
Attack Vector
An attacker hosts a crafted template archive on a public source such as GitHub. The attacker convinces a PraisonAI user to install the template through the standard installation feature. During extraction, archive entries with traversal sequences are written to attacker-chosen locations. Overwriting Python source files imported by PraisonAI, shell startup files, or scheduled task definitions can achieve arbitrary code execution under the user account running the application.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-4ph2-f6pf-79wv for the maintainer's technical description.
Detection Methods for CVE-2026-39307
Indicators of Compromise
- Unexpected files appearing outside the PraisonAI templates directory after a template install operation
- Modified or newly created files in sensitive paths such as ~/.bashrc, ~/.ssh/authorized_keys, /etc/cron.d/, or Python site-packages directories with timestamps matching template installation events
- PraisonAI log entries referencing template downloads from untrusted or unknown repositories
Detection Strategies
- Inventory installed PraisonAI versions and flag any instance running below 1.5.113
- Inspect ZIP archives retrieved by the templates feature for entries containing .. segments or absolute paths before extraction
- Audit filesystem changes correlated with the PraisonAI process to identify writes outside the expected extraction directory
Monitoring Recommendations
- Enable file integrity monitoring on user home directories, cron directories, and Python package directories on hosts running PraisonAI
- Log all outbound requests from PraisonAI to archive hosting services and alert on downloads from non-allowlisted sources
- Track process activity for python processes invoking zipfile operations followed by writes to unrelated paths
How to Mitigate CVE-2026-39307
Immediate Actions Required
- Upgrade PraisonAI to version 1.5.113 or later on all hosts
- Restrict template installation to archives sourced from trusted, internally controlled repositories until the upgrade is complete
- Run PraisonAI under a dedicated low-privilege account with write access limited to its working directories
Patch Information
The maintainer released a fix in PraisonAI 1.5.113. The patch validates that each archive member resolves inside the intended extraction directory before writing. Refer to the GitHub Security Advisory GHSA-4ph2-f6pf-79wv for commit details and release notes.
Workarounds
- Disable the templates installation feature in environments that cannot immediately upgrade
- Pre-screen template archives by listing contents with unzip -l and rejecting any archive containing .. or absolute paths
- Execute PraisonAI inside a container or sandbox with a read-only root filesystem and a narrowly scoped writable volume
# Inspect a template archive for traversal entries before installation
unzip -l suspicious-template.zip | awk '{print $4}' | grep -E '(^/|\.\./)'
# Upgrade PraisonAI to the patched release
pip install --upgrade 'praisonai>=1.5.113'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
