CVE-2026-40117
Received Received - Intake
Arbitrary File Read in PraisonAIAgents Enables Data Exfiltration

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40117
EUVD
EUVD-2026-21164
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonaiagents to 1.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade PraisonAIAgents to version 1.5.128 or later, where the issue with read_skill_file() has been fixed.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files from the filesystem. Since an attacker can exploit the read_skill_file() function to read arbitrary files without any approval, sensitive information could be exfiltrated, potentially leading to data breaches or exposure of confidential data.

Executive Summary

The vulnerability exists in PraisonAIAgents, a multi-agent teams system, specifically in versions prior to 1.5.128. The function read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem because it accepts an unrestricted skill_path parameter. Unlike other functions that enforce workspace boundaries or require approval, read_skill_file() has no such protections. This means an agent influenced by prompt injection can read and exfiltrate sensitive files without any approval prompt.

Compliance Impact

This vulnerability allows an agent to read arbitrary files from the filesystem without any approval prompt, potentially leading to unauthorized exfiltration of sensitive data.

Such unauthorized access and exfiltration of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to and disclosure of personal and sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart