CVE-2026-40157 Overview
CVE-2026-40157 is a critical path traversal vulnerability affecting PraisonAI, a multi-agent teams system. The vulnerability exists in the cmd_unpack function within the recipe CLI, which extracts .praison tar archives using raw tar.extract() without validating archive member paths. A malicious .praison bundle containing ../../ entries can write files outside the intended output directory, enabling an attacker to overwrite arbitrary files on a victim's filesystem when they run praisonai recipe unpack.
Critical Impact
Arbitrary file overwrite via malicious archive distribution allows attackers to compromise system integrity, potentially leading to code execution through overwriting configuration files, scripts, or executables.
Affected Products
- PraisonAI versions prior to 4.5.128
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-40157 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-40157
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw resides in PraisonAI's recipe CLI functionality that handles unpacking of .praison bundle files.
When a user executes the praisonai recipe unpack command, the underlying cmd_unpack function processes tar archives without performing validation on the paths of files contained within the archive. This allows an attacker to craft a malicious .praison bundle that includes path traversal sequences (such as ../../) in the archived file paths.
The vulnerability requires user interaction—specifically, the victim must obtain and unpack a malicious bundle. However, given the network-accessible nature of bundle distribution and the minimal prerequisites for exploitation, the attack surface is significant. Successful exploitation can result in high impact to confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause is the use of Python's raw tar.extract() method without sanitizing or validating the member paths contained within the archive. The tar.extract() function, when given archive members with relative path components like ../, will follow those paths literally, allowing writes to directories outside the intended extraction target. The absence of path canonicalization or containment checks before extraction enables this directory escape.
Attack Vector
An attacker exploiting CVE-2026-40157 would craft a malicious .praison archive containing files with path traversal sequences in their names. The attack chain proceeds as follows:
- The attacker creates a .praison bundle file containing entries with paths such as ../../.bashrc or ../../../etc/cron.d/malicious
- The malicious bundle is distributed to victims through package repositories, shared development resources, or social engineering
- When the victim runs praisonai recipe unpack on the malicious bundle, the cmd_unpack function extracts files using tar.extract() without path validation
- Files are written to locations outside the intended output directory, potentially overwriting critical system or user files
- Depending on which files are overwritten, the attacker may achieve code execution, persistence, or denial of service
The vulnerability mechanism involves unsanitized archive member paths being passed directly to extraction functions. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-40157
Indicators of Compromise
- Presence of files in unexpected locations following use of praisonai recipe unpack command
- Modified system or configuration files with timestamps correlating to recipe unpack operations
- Unexpected .praison bundle files from untrusted sources in download directories
- File write audit logs showing paths with ../ sequences during archive extraction
Detection Strategies
- Monitor file system activity for writes outside expected PraisonAI directories during unpack operations
- Implement file integrity monitoring (FIM) on critical system files and user configuration files
- Audit command-line usage patterns for praisonai recipe unpack commands, especially with newly downloaded bundles
- Deploy endpoint detection rules that flag archive extraction operations with path traversal patterns
Monitoring Recommendations
- Enable detailed file access logging on systems where PraisonAI is installed
- Configure SentinelOne agents to monitor for suspicious file write patterns associated with archive extraction
- Implement alerting for modifications to sensitive files like shell configurations, cron jobs, or startup scripts
- Regularly audit the provenance of .praison bundles before unpacking
How to Mitigate CVE-2026-40157
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.128 or later immediately
- Audit systems for any .praison bundles from untrusted sources that may have been unpacked
- Review file system changes and restore any overwritten files from known-good backups
- Implement application allowlisting to control execution of modified files
Patch Information
The vulnerability is fixed in PraisonAI version 4.5.128. Users should upgrade to this version or later to address the path traversal issue. The fix implements proper validation of archive member paths before extraction, preventing directory escape via ../ sequences.
For additional details and patch information, refer to the GitHub Security Advisory.
Workarounds
- Avoid unpacking .praison bundles from untrusted or unverified sources
- Manually inspect archive contents using tar -tvf bundle.praison before extraction to identify path traversal attempts
- Run PraisonAI in an isolated environment or container to limit the impact of arbitrary file writes
- Implement file system restrictions using sandboxing technologies to contain extraction operations
# Inspect archive contents before unpacking to detect path traversal attempts
tar -tvf suspicious_bundle.praison | grep '\.\.'
# If upgrading via pip
pip install praisonai>=4.5.128
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
