CVE-2026-39308
Path Traversal and Arbitrary File Write in PraisonAI Registry
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.112 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39308 is a path traversal and arbitrary file write vulnerability in the PraisonAI recipe registry's publish endpoint prior to version 1.5.113 (noted as up to 4.5.112 in the resource). The issue arises because the server writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json fields (name and version) before verifying that these fields match the HTTP route parameters.
An attacker can include '../' sequences in the manifest's name field, causing the server to write files outside the intended registry root directory. Although the server eventually rejects the request with an HTTP 400 error due to the mismatch, the malicious file remains on the filesystem, leading to arbitrary file creation or overwriting outside the registry root.
This vulnerability affects deployments exposing the publish flow, especially if no authentication token is required or if the attacker has publish access. The root cause is improper validation of the manifest fields before filesystem operations.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including high integrity risk because an attacker can create or overwrite arbitrary files outside the intended directory on the registry host.
Potential impacts include:
- Arbitrary file creation or overwriting outside the registry root.
- Possible availability impact if critical files are overwritten or corrupted.
- Potential for chaining with other local loading mechanisms to escalate attacks.
If the registry is run without authentication tokens, any network client can exploit this. If tokens are configured, only users with publish access can exploit it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual file writes outside the expected registry root directory, especially files created during attempts to publish recipe bundles.
One approach is to check for files created with unexpected paths or names containing traversal sequences like '../' in the manifest name or version fields.
Since the vulnerability involves the publish endpoint at `/v1/recipes/{name}/{version}`, you can inspect HTTP POST requests to this endpoint for suspicious manifest contents.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to `/v1/recipes/` and analyze the manifest.json inside uploaded bundles for path traversal sequences.
- On the server, run commands to find files created outside the registry root that match the pattern of `.praison` bundles, for example: `find /tmp -name '*.praison'` or `find / -path '*outside-dir*'`.
- Check server logs for HTTP 400 responses from the publish endpoint, which may indicate rejected but partially processed malicious uploads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file write and path traversal on the registry host, which can lead to unauthorized modification or creation of files outside the intended directory.
Such integrity violations could potentially impact compliance with standards and regulations that require strict control over data integrity and system security, such as GDPR and HIPAA.
However, the provided information does not explicitly discuss or analyze the direct effects of this vulnerability on compliance with these or other common standards and regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI to version 1.5.113 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, restrict access to the recipe registry publish endpoint to trusted users only, ideally requiring authentication tokens.
Avoid running the registry without authentication tokens, as any network client can exploit the vulnerability if no token is required.
Implement network-level controls such as firewall rules to limit access to the publish endpoint.
Monitor the filesystem for unexpected files created outside the registry root and remove any suspicious files.