CVE-2026-44340 Overview
CVE-2026-44340 is a path traversal vulnerability in PraisonAI, a multi-agent teams system maintained by MervinPraison. The flaw resides in the _safe_extractall helper used by the recipe pull, recipe publish, and recipe unpack flows. The helper validates archive member names for absolute paths and .. segments but ignores symbolic and hard link metadata. A crafted bundle can plant a symlink inside the destination directory whose linkname points outside it, then write a regular file through that symlink to an attacker-chosen filesystem location. The issue affects all versions prior to 4.6.37 and is tracked under CWE-22.
Critical Impact
Remote attackers can write arbitrary files to attacker-controlled paths on the victim's filesystem when a malicious recipe archive is processed, enabling integrity compromise and code execution paths through overwritten configuration or executable files.
Affected Products
- PraisonAI versions prior to 4.6.37
- The recipe pull command flow
- The recipe publish and recipe unpack command flows
Discovery Timeline
- 2026-05-08 - CVE-2026-44340 published to NVD
- 2026-05-08 - Last updated in NVD database
- Fix released - PraisonAI version 4.6.37 patches the vulnerability
Technical Details for CVE-2026-44340
Vulnerability Analysis
The vulnerability is a classic symlink-assisted path traversal in tar archive extraction. PraisonAI's _safe_extractall helper inspects each archive entry's name attribute and rejects absolute paths, parent-directory traversal sequences, and resolved paths that escape dest_dir. The check is incomplete because it never inspects member.linkname, never rejects SYMTYPE or LNKTYPE members, and invokes tar.extractall(dest_dir) without the Python 3.12+ filter="data" safeguard.
An attacker builds a tar bundle containing two ordered entries. The first is a symbolic link whose name is a benign-looking path inside dest_dir, but whose linkname resolves to an arbitrary location on the host, for example /etc or a user's ~/.ssh directory. The second is a regular file whose path traverses through the just-created symlink. When extractall writes the file, the operating system follows the symlink and the content lands outside the sandbox.
Root Cause
The root cause is incomplete input validation [CWE-22]. The _safe_extractall filter only normalizes the name field of each TarInfo object. Link targets are trusted, and the extraction call does not opt into Python's tarfile data filter, which would block link members pointing outside the extraction root.
Attack Vector
Exploitation requires the victim to fetch or unpack an attacker-controlled recipe archive through any of the three vulnerable flows. No authentication is required against the victim host because the malicious payload travels inside a legitimate recipe bundle. Successful writes can target shell startup files, cron entries, Python site-packages, or application configuration to achieve code execution under the user running PraisonAI.
No public proof-of-concept exploit code is currently available. See the GitHub Security Advisory GHSA-9q28-ghcr-c4x3 for the maintainer's technical description.
Detection Methods for CVE-2026-44340
Indicators of Compromise
- Unexpected symbolic links inside recipe extraction directories whose targets point outside the destination root.
- Modifications to sensitive files such as ~/.ssh/authorized_keys, ~/.bashrc, cron tables, or Python site-packages immediately after a recipe pull or recipe unpack operation.
- Recipe archives sourced from untrusted registries or pull requests containing SYMTYPE or LNKTYPE tar entries.
Detection Strategies
- Inspect recipe tar bundles before processing with tar -tvf <archive> and reject any archive containing link entries whose targets resolve outside the intended directory.
- Monitor processes spawned by PraisonAI for writes to paths outside the configured recipe workspace.
- Audit installed PraisonAI versions across hosts and flag any release older than 4.6.37.
Monitoring Recommendations
- Enable filesystem auditing (auditd, EDR file telemetry) on directories that should never be written to by the PraisonAI process user.
- Log all recipe pull, recipe publish, and recipe unpack invocations with the resolved archive source URL.
- Alert on creation of symbolic links by the PraisonAI process where the link target lies outside the recipe working directory.
How to Mitigate CVE-2026-44340
Immediate Actions Required
- Upgrade PraisonAI to version 4.6.37 or later on every host that runs recipe commands.
- Audit recently extracted recipe archives for symlinks pointing outside the expected destination directory and remove any unauthorized files written outside it.
- Restrict recipe sources to trusted, signed registries until the upgrade completes.
Patch Information
The maintainer patched the issue in PraisonAI version 4.6.37 by hardening _safe_extractall to reject symlink and hardlink members and to validate linkname resolution against the destination directory. Details are published in the GitHub Security Advisory GHSA-9q28-ghcr-c4x3.
Workarounds
- Run PraisonAI under a dedicated, low-privilege user account whose write permissions are confined to the recipe workspace.
- Execute recipe extraction inside an ephemeral container or sandbox with no access to sensitive host paths.
- Pre-screen incoming archives and strip any entries with linkname targets that resolve outside the extraction directory before invoking PraisonAI.
# Upgrade PraisonAI to the patched release
pip install --upgrade "praisonai>=4.6.37"
# Verify the installed version
python -c "import praisonai; print(praisonai.__version__)"
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
