CVE-2026-35615
Path Traversal in PraisonAI Prior to 1.5.113 Allows Arbitrary File Access
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 1.5.113 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to any file on the system, including sensitive files such as /etc/passwd, /etc/shadow, and private SSH keys. This unauthorized access to sensitive data can lead to breaches of confidentiality.
Such breaches of confidentiality can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information against unauthorized access.
Because the vulnerability enables remote exploitation without privileges or user interaction, it poses a critical risk to data confidentiality, which is a core requirement in these regulations.
Can you explain this vulnerability to me?
CVE-2026-35615 is a critical path traversal vulnerability in the PraisonAI multi-agent teams system, specifically in the _validate_path() function of the FileTools component. The function attempts to prevent path traversal by normalizing file paths using os.path.normpath() and then checking for the substring '..' in the normalized path. However, since os.path.normpath() collapses '..' sequences before the check, the check always passes and fails to detect traversal attempts.
Additionally, the function uses os.path.abspath() but does not resolve symbolic links, which allows attackers to exploit symlink-based traversal. This flaw enables attackers who can specify file paths in file operations to bypass protections and access any file on the system, including sensitive files like /etc/passwd, /etc/shadow, and private SSH keys.
The vulnerability is fixed in version 1.5.113 by checking for '..' in the original input path before normalization and resolving symbolic links.
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform unauthorized path traversal attacks, enabling them to access any file on the affected system without any privileges or user interaction.
- Unauthorized reading of sensitive files such as /etc/passwd, /etc/shadow, and private SSH keys.
- Potential arbitrary file writes if combined with write operations, leading to further system compromise.
Because the attack vector is network-based and requires no privileges or user interaction, the risk is high and can lead to significant confidentiality breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the _validate_path() function improperly allows path traversal by collapsing '..' sequences before checking for them, which can be verified by attempting to access sensitive files using crafted paths.
A practical detection method is to attempt to read sensitive files such as /etc/passwd using path traversal sequences like '/tmp/../etc/passwd' through the vulnerable file operation interfaces (e.g., read_file). If the system returns the contents without error, it indicates the vulnerability is present.
Since the vulnerability is in the praisonai package's FileTools component, you can check the version of PraisonAI installed; versions prior to 1.5.113 are vulnerable.
Specific commands depend on the environment, but a conceptual example in a Python environment using the vulnerable function might be:
- Call _validate_path('/tmp/../etc/passwd') and check if it returns '/etc/passwd' without raising an error.
- Attempt to read the file at the returned path to confirm unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI to version 1.5.113 or later, where the vulnerability is fixed.
The fix involves changing the _validate_path() function to check for '..' in the original input path before normalization and resolving symbolic links to prevent symlink-based traversal.
Until the upgrade is applied, restrict access to the vulnerable file operation interfaces to trusted users only, and monitor for suspicious file access attempts.