CVE-2026-44336 Overview
CVE-2026-44336 is a path traversal vulnerability in PraisonAI, a multi-agent teams system. The flaw exists in the Model Context Protocol (MCP) server (praisonai mcp serve) in versions prior to 4.6.34. Four file-handling tools accept user-supplied path strings and join them onto ~/.praison/rules/ without performing containment checks. Attackers can supply traversal sequences such as ../../ to write arbitrary files anywhere the running user has write access. The issue maps to [CWE-20] Improper Input Validation. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in subsequent Python processes spawned by the user.
Critical Impact
Unauthenticated attackers can write arbitrary files and achieve remote code execution through abuse of MCP tool calls exposed by the PraisonAI server.
Affected Products
- PraisonAI versions prior to 4.6.34
- PraisonAI MCP server component (praisonai mcp serve)
- Deployments exposing praisonai.rules.* and praisonai.workflow.show tools
Discovery Timeline
- 2026-05-08 - CVE-2026-44336 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-44336
Vulnerability Analysis
The PraisonAI MCP server registers four file-handling tools by default: praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each tool accepts a path or filename string from MCP tools/call arguments. The handlers join the supplied value onto ~/.praison/rules/ for the rules tools, while workflow.show accepts an absolute path directly. None of the handlers verify that the resolved path stays within the intended base directory.
The JSON-RPC dispatcher compounds the issue by passing params["arguments"] to each handler via **kwargs without validating inputs against the advertised tool input schema. Attackers can therefore supply arbitrary parameter names and values that the handlers consume directly. This breaks the implicit trust boundary between MCP clients and the server.
Root Cause
The root cause is missing containment validation on filesystem paths derived from untrusted MCP arguments. The handlers rely on string concatenation rather than canonicalizing the resolved path and checking it against the allowed base directory. The absent schema enforcement at the dispatcher layer removes the secondary defense that would otherwise reject unexpected fields.
Attack Vector
An attacker sends an MCP tools/call request with a crafted rule_name value such as ../../<target-path>. The server traverses out of the rules directory and writes attacker-controlled content to the specified location. By placing a .pth file in the user site-packages directory, the attacker turns the write primitive into arbitrary code execution. The injected Python runs the next time the user launches the PraisonAI CLI, executes an IDE script, opens a Python REPL, or starts any background Python service.
Refer to the GitHub Security Advisory GHSA-9mqq-jqxf-grvw for vendor technical details.
Detection Methods for CVE-2026-44336
Indicators of Compromise
- MCP tools/call requests targeting praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, or praisonai.workflow.show with .. traversal sequences in arguments
- New or modified .pth files in the user site-packages directory not deployed by package management
- Unexpected files written outside ~/.praison/rules/ by the user account running the MCP server
- Anomalous Python processes loading code from user-writable paths after PraisonAI activity
Detection Strategies
- Inspect MCP server logs for argument values containing ../, absolute paths, or non-ASCII path separators in rule or workflow tool calls
- Baseline the contents of ~/.praison/rules/ and the user site-packages directory; alert on out-of-band file creation
- Monitor for child processes spawned by praisonai that read or execute files from non-standard directories
Monitoring Recommendations
- Enable verbose JSON-RPC request logging on the PraisonAI MCP server and forward logs to a central SIEM
- Apply file integrity monitoring to user-writable Python import paths, including site-packages and usercustomize.py
- Track outbound network connections initiated by Python processes following PraisonAI tool invocations
How to Mitigate CVE-2026-44336
Immediate Actions Required
- Upgrade PraisonAI to version 4.6.34 or later across all hosts running praisonai mcp serve
- Stop and disable any exposed PraisonAI MCP server instances until the patch is applied
- Audit ~/.praison/rules/, user site-packages, and home directory paths for unexpected files written by the MCP server account
Patch Information
The maintainers fixed the issue in PraisonAI version 4.6.34. The patch adds containment validation so the rules tools resolve paths within ~/.praison/rules/ and rejects traversal attempts. See the PraisonAI Security Advisory for the complete fix description and upgrade guidance.
Workarounds
- Restrict network exposure of the MCP server to trusted local clients only, using loopback binding or firewall rules
- Run praisonai mcp serve under a dedicated low-privilege user account with no write access to Python import paths
- Disable the praisonai.rules.* and praisonai.workflow.show tools if they are not required by deployed agents
# Configuration example - upgrade and restrict the MCP server
pip install --upgrade 'praisonai>=4.6.34'
# Verify installed version
python -c "import praisonai; print(praisonai.__version__)"
# Bind MCP server to loopback only (example)
praisonai mcp serve --host 127.0.0.1 --port 8080
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
