CVE-2026-40117
Received Received - Intake
Arbitrary File Read in PraisonAIAgents Enables Data Exfiltration

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-05-07
AI Q&A
2026-04-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40117
EUVD
EUVD-2026-21164
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonaiagents to 1.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade PraisonAIAgents to version 1.5.128 or later, where the issue with read_skill_file() has been fixed.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive files from the filesystem. Since an attacker can exploit the read_skill_file() function to read arbitrary files without any approval, sensitive information could be exfiltrated, potentially leading to data breaches or exposure of confidential data.


Can you explain this vulnerability to me?

The vulnerability exists in PraisonAIAgents, a multi-agent teams system, specifically in versions prior to 1.5.128. The function read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem because it accepts an unrestricted skill_path parameter. Unlike other functions that enforce workspace boundaries or require approval, read_skill_file() has no such protections. This means an agent influenced by prompt injection can read and exfiltrate sensitive files without any approval prompt.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an agent to read arbitrary files from the filesystem without any approval prompt, potentially leading to unauthorized exfiltration of sensitive data.

Such unauthorized access and exfiltration of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to and disclosure of personal and sensitive data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart