CVE-2026-44336
Path Traversal in PraisonAI MCP Server
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.6.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-913 | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PraisonAI's MCP server prior to version 4.6.34. The server registers four file-handling tools that accept file paths or names without proper containment checks. An attacker can exploit this by providing a specially crafted path that escapes the intended directory, allowing them to write arbitrary files anywhere the user has write permissions.
By dropping a malicious Python .pth file into the user's site-packages directory, the attacker can escalate this to arbitrary code execution in any subsequent Python process run by the user, such as the PraisonAI CLI, IDE scripts, Python REPL, or background Python services.
This issue arises because the JSON-RPC dispatcher passes arguments blindly to handlers without validating them against the expected input schema.
The vulnerability has been patched in version 4.6.34.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary file writes by an attacker with access to the MCP server, potentially allowing them to place malicious files in sensitive locations.
More critically, it can escalate to arbitrary code execution in any Python process run by the user, which could compromise the user's environment, steal data, or perform unauthorized actions.
Because the attacker can execute code with the privileges of the user running PraisonAI, the impact can be severe, including full compromise of the user's system or environment.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is patched in PraisonAI version 4.6.34. The immediate step to mitigate this vulnerability is to upgrade PraisonAI to version 4.6.34 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary code by writing files outside the intended directory, potentially leading to unauthorized access or modification of sensitive data.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Exploitation of this flaw could result in exposure or alteration of personal or protected health information, thereby violating regulatory requirements and leading to legal and financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the PraisonAI MCP server version is 4.6.33 or earlier, as these versions are vulnerable to a critical path-traversal flaw.
To detect exploitation attempts or presence of malicious files, you can look for unexpected Python .pth files in the user's site-packages directory, which may indicate arbitrary code execution attempts.
You can also monitor network activity on the MCP server endpoints, especially the unauthenticated HTTP-stream transport on 127.0.0.1:8080/mcp or stdio-based MCP connections, for suspicious requests invoking the vulnerable file-handling tools.
- Check PraisonAI MCP server version: `praisonai mcp serve --version` or check installed package version.
- Search for suspicious .pth files in the user site-packages directory, for example: `find ~/.local/lib/python*/site-packages/ -name '*.pth'`
- Monitor network connections on localhost port 8080: `netstat -anp | grep 8080` or `ss -anp | grep 8080`
- Inspect logs or capture traffic on 127.0.0.1:8080/mcp for unusual MCP tool calls that include path traversal patterns like '../../'