Executive Summary

CVE-2026-39306 is a high-severity path traversal vulnerability in PraisonAI's recipe registry pull workflow. The vulnerability occurs because PraisonAI extracts attacker-controlled .praison tar archives using Python's tar.extractall() without validating the paths of the archive members.

A malicious publisher can include path traversal entries (such as ../) in the tar archive, which allows files to be written outside the intended output directory when a user pulls the recipe. This affects both local and HTTP registry pull paths.

Checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. The extraction code creates the target directory and then extracts all files without path validation, enabling arbitrary file writes outside the target directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to high integrity and availability risks. An attacker can overwrite or create arbitrary files outside the intended extraction directory.

This could affect important files such as configuration files, project files, or startup files, potentially disrupting the normal operation of the system or application.

The attack requires low privileges and low complexity but does require user interaction, meaning a user must pull the malicious recipe for exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the contents of .praison tar archives before extraction to identify any path traversal entries such as '../' segments that attempt to write files outside the intended extraction directory.

Since the vulnerability involves extraction of tar archives without path validation, you can manually check tarball contents for suspicious paths using commands like:

• tar -tf archive.praison | grep '\.\./'
• tar -tvf archive.praison

These commands list the files inside the tar archive and help identify any entries with directory traversal patterns. Monitoring network traffic for downloads of .praison files from untrusted sources or unusual file writes outside expected directories after pulling recipes can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 1.5.113 or later, where the vulnerability is fixed by replacing the unsafe tar.extractall() call with a safe extraction routine that validates each archive member path.

Until the upgrade is applied, avoid pulling recipes from untrusted or unknown publishers, as the vulnerability requires user interaction to exploit.

Additionally, implement manual validation of .praison tar archives before extraction to reject any bundles containing path traversal entries.

It is also recommended to validate tar contents during publishing to prevent malicious bundles from entering the registry.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to perform arbitrary file writes outside the intended extraction directory, potentially overwriting or creating critical configuration, project, or startup files. Such unauthorized modifications can compromise system integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity and availability impacts could indirectly affect compliance. For example, unauthorized file writes could lead to system malfunctions or data integrity issues, which may violate regulatory requirements for data protection and system reliability.

Therefore, organizations using affected versions of PraisonAI should consider this vulnerability a risk to maintaining compliance with standards that require strict controls over data integrity and system availability.

Useful 0 Not Useful 0