CVE-2026-44336
Modified Modified - Updated After Analysis
Path Traversal in PraisonAI MCP Server

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default β€” praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns β€” the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44336
EUVD
EUVD-2026-28639
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai to 4.6.34 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PraisonAI's MCP server prior to version 4.6.34. The server registers four file-handling tools that accept file paths or names without proper containment checks. An attacker can exploit this by providing a specially crafted path that escapes the intended directory, allowing them to write arbitrary files anywhere the user has write permissions.

By dropping a malicious Python .pth file into the user's site-packages directory, the attacker can escalate this to arbitrary code execution in any subsequent Python process run by the user, such as the PraisonAI CLI, IDE scripts, Python REPL, or background Python services.

This issue arises because the JSON-RPC dispatcher passes arguments blindly to handlers without validating them against the expected input schema.

The vulnerability has been patched in version 4.6.34.

Impact Analysis

This vulnerability can lead to arbitrary file writes by an attacker with access to the MCP server, potentially allowing them to place malicious files in sensitive locations.

More critically, it can escalate to arbitrary code execution in any Python process run by the user, which could compromise the user's environment, steal data, or perform unauthorized actions.

Because the attacker can execute code with the privileges of the user running PraisonAI, the impact can be severe, including full compromise of the user's system or environment.

Mitigation Strategies

The vulnerability is patched in PraisonAI version 4.6.34. The immediate step to mitigate this vulnerability is to upgrade PraisonAI to version 4.6.34 or later.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code by writing files outside the intended directory, potentially leading to unauthorized access or modification of sensitive data.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Exploitation of this flaw could result in exposure or alteration of personal or protected health information, thereby violating regulatory requirements and leading to legal and financial consequences.

Detection Guidance

This vulnerability can be detected by checking if the PraisonAI MCP server version is 4.6.33 or earlier, as these versions are vulnerable to a critical path-traversal flaw.

To detect exploitation attempts or presence of malicious files, you can look for unexpected Python .pth files in the user's site-packages directory, which may indicate arbitrary code execution attempts.

You can also monitor network activity on the MCP server endpoints, especially the unauthenticated HTTP-stream transport on 127.0.0.1:8080/mcp or stdio-based MCP connections, for suspicious requests invoking the vulnerable file-handling tools.

  • Check PraisonAI MCP server version: `praisonai mcp serve --version` or check installed package version.
  • Search for suspicious .pth files in the user site-packages directory, for example: `find ~/.local/lib/python*/site-packages/ -name '*.pth'`
  • Monitor network connections on localhost port 8080: `netstat -anp | grep 8080` or `ss -anp | grep 8080`
  • Inspect logs or capture traffic on 127.0.0.1:8080/mcp for unusual MCP tool calls that include path traversal patterns like '../../'
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart