CVE-2026-39306
Received Received - Intake
Path Traversal in PraisonAI Recipe Registry Enables Arbitrary File Write

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that recipe will write files outside the output directory they selected. This is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. This vulnerability is fixed in 1.5.113.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39306
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai to 4.5.112 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to perform arbitrary file writes outside the intended extraction directory, potentially overwriting or creating critical configuration, project, or startup files. Such unauthorized modifications can compromise system integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity and availability impacts could indirectly affect compliance. For example, unauthorized file writes could lead to system malfunctions or data integrity issues, which may violate regulatory requirements for data protection and system reliability.

Therefore, organizations using affected versions of PraisonAI should consider this vulnerability a risk to maintaining compliance with standards that require strict controls over data integrity and system availability.


Can you explain this vulnerability to me?

CVE-2026-39306 is a high-severity path traversal vulnerability in PraisonAI's recipe registry pull workflow. The vulnerability occurs because PraisonAI extracts attacker-controlled .praison tar archives using Python's tar.extractall() without validating the paths of the archive members.

A malicious publisher can include path traversal entries (such as ../) in the tar archive, which allows files to be written outside the intended output directory when a user pulls the recipe. This affects both local and HTTP registry pull paths.

Checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. The extraction code creates the target directory and then extracts all files without path validation, enabling arbitrary file writes outside the target directory.


How can this vulnerability impact me? :

This vulnerability can lead to high integrity and availability risks. An attacker can overwrite or create arbitrary files outside the intended extraction directory.

This could affect important files such as configuration files, project files, or startup files, potentially disrupting the normal operation of the system or application.

The attack requires low privileges and low complexity but does require user interaction, meaning a user must pull the malicious recipe for exploitation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by inspecting the contents of .praison tar archives before extraction to identify any path traversal entries such as '../' segments that attempt to write files outside the intended extraction directory.

Since the vulnerability involves extraction of tar archives without path validation, you can manually check tarball contents for suspicious paths using commands like:

  • tar -tf archive.praison | grep '\.\./'
  • tar -tvf archive.praison

These commands list the files inside the tar archive and help identify any entries with directory traversal patterns. Monitoring network traffic for downloads of .praison files from untrusted sources or unusual file writes outside expected directories after pulling recipes can also help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade PraisonAI to version 1.5.113 or later, where the vulnerability is fixed by replacing the unsafe tar.extractall() call with a safe extraction routine that validates each archive member path.

Until the upgrade is applied, avoid pulling recipes from untrusted or unknown publishers, as the vulnerability requires user interaction to exploit.

Additionally, implement manual validation of .praison tar archives before extraction to reject any bundles containing path traversal entries.

It is also recommended to validate tar contents during publishing to prevent malicious bundles from entering the registry.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart