CVE-2026-39307 Overview
CVE-2026-39307 is a Path Traversal vulnerability affecting PraisonAI, a multi-agent teams system. Prior to version 1.5.113, the PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory.
Critical Impact
Attackers can craft malicious ZIP archives containing files with path traversal sequences (e.g., ../../) that, when extracted, write arbitrary files to locations outside the intended directory. This can lead to overwriting critical system files, planting backdoors, or achieving remote code execution.
Affected Products
- PraisonAI versions prior to 1.5.113
- Applications using PraisonAI template installation features
- Systems downloading template archives from external sources
Discovery Timeline
- 2026-04-07 - CVE-2026-39307 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39307
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in PraisonAI's template installation functionality, which downloads and extracts ZIP archives from external sources without proper validation of file paths within the archive.
The core issue stems from the use of Python's zipfile.extractall() method without implementing path canonicalization checks. When a malicious ZIP archive contains entries with relative path components like ../, the extraction process follows these paths, potentially writing files to arbitrary locations on the filesystem outside the intended extraction directory.
This attack requires user interaction, as the victim must initiate the template installation process. However, once triggered, the attacker gains significant control over the target filesystem, potentially leading to integrity compromise through file overwrites or availability impact through corruption of system files.
Root Cause
The root cause is the unsafe use of Python's zipfile.extractall() method without implementing proper path sanitization. The method extracts files based on the paths stored within the ZIP archive entries. When these paths contain directory traversal sequences (such as ../), the extraction follows the relative path resolution, allowing files to be written outside the designated extraction directory.
Secure implementations should validate that each extracted file's resolved absolute path remains within the intended target directory by comparing canonical paths before extraction.
Attack Vector
The attack requires network access and user interaction. An attacker would need to:
- Create a malicious ZIP archive containing files with path traversal sequences in their names (e.g., ../../../etc/cron.d/malicious)
- Host the malicious archive on a source that PraisonAI will accept for template downloads (such as a GitHub repository)
- Convince a user to install the malicious template through PraisonAI's template installation feature
- Upon extraction, files are written to arbitrary locations on the filesystem, potentially overwriting critical configuration files, planting web shells, or modifying application code
The vulnerability mechanism relies on the zipfile.extractall() function not performing path validation before writing files. When encountering a ZIP entry with a name like ../../../tmp/malicious.py, the function resolves this relative path from the extraction directory, allowing writes outside the intended scope. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39307
Indicators of Compromise
- Unexpected files appearing in system directories outside PraisonAI's installation path
- Modified configuration files or application code with recent timestamps correlating to template installations
- Presence of files with suspicious names in /etc/, /tmp/, or web-accessible directories
- Log entries showing template downloads followed by unusual file system activity
Detection Strategies
- Monitor file system events during PraisonAI template installation operations for writes outside the expected extraction directory
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Review PraisonAI logs for template installation events and correlate with file system changes
- Deploy endpoint detection rules that alert on zipfile.extractall() operations followed by file writes containing ../ in paths
Monitoring Recommendations
- Enable audit logging for file creation and modification events in sensitive directories
- Monitor network requests to external template sources and validate the integrity of downloaded archives
- Implement application-level logging that records all template installation activities with source URLs and extracted file paths
- Configure SentinelOne to detect path traversal patterns in file operations and alert on suspicious extraction behavior
How to Mitigate CVE-2026-39307
Immediate Actions Required
- Upgrade PraisonAI to version 1.5.113 or later immediately
- Audit systems for any indicators of compromise, particularly unexpected files in system directories
- Review recently installed templates and verify their source integrity
- Temporarily disable template installation features if immediate upgrade is not possible
Patch Information
The vulnerability has been fixed in PraisonAI version 1.5.113. Users should upgrade to this version or later to remediate the vulnerability. The fix implements proper path validation to ensure extracted files cannot escape the intended extraction directory. For more details, consult the GitHub Security Advisory.
Workarounds
- Disable the template installation feature until the patch can be applied
- Implement network-level controls to restrict template downloads to trusted, verified sources only
- Use file system permissions to limit write access from the PraisonAI process to only necessary directories
- Deploy SentinelOne endpoint protection to detect and block path traversal exploitation attempts in real-time
# Upgrade PraisonAI to patched version
pip install --upgrade praisonai>=1.5.113
# Verify installed version
pip show praisonai | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
