CVE-2026-44340
Path Traversal in PraisonAI via Symlink in Archive
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.6.37 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-44340 vulnerability in PraisonAI (versions up to 4.6.35) involves a flaw in the _safe_extractall function used during recipe pull, publish, and unpack operations. While the function validates archive member names to prevent absolute paths and path traversal, it fails to validate the linkname of symlink or hardlink members. This allows an attacker to craft a malicious bundle containing a symlink that points outside the intended extraction directory.
When this bundle is extracted, the symlink enables the attacker to write arbitrary files to locations outside the destination directory by following a file path that traverses the symlink. This bypasses the intended security checks and can lead to unauthorized file writes on the victim's filesystem.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to overwrite arbitrary files on the victim's system by exploiting the symlink extraction bypass. Potential impacts include overwriting important user files such as shell configuration files or SSH keys, and if the extraction process runs with elevated privileges (e.g., as root), system files could also be overwritten.
Such unauthorized file writes can lead to system compromise, privilege escalation, or persistent backdoors, severely impacting the security and integrity of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the use of PraisonAI commands that extract or pull recipes, specifically `praisonai recipe unpack` and `praisonai recipe pull`. Suspicious activity may include extraction of bundles containing symlinks that point outside the intended destination directory.
To detect exploitation attempts, you can check for the presence of symlink or hardlink members in extracted bundles that point outside the expected directories.
While no explicit detection commands are provided, you can use commands to inspect extracted files and symlinks, for example:
- Use `find` to locate symlinks in the extraction directory: `find /path/to/dest_dir -type l -ls`
- Check where symlinks point: `readlink -f /path/to/symlink` to verify if they point outside the intended directory.
- Audit logs or command history for usage of `praisonai recipe unpack` or `praisonai recipe pull` commands.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI to version 4.6.37 or later, where the vulnerability has been patched.
If upgrading is not immediately possible, avoid running `praisonai recipe unpack`, `praisonai recipe pull`, or recipe publish operations on untrusted bundles.
Additionally, review and modify the `_safe_extractall` function to either use the `filter="data"` parameter during extraction or add explicit checks to reject symlink and hardlink members that point outside the destination directory.
Limit the privileges of the user running PraisonAI commands to reduce the impact of potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write arbitrary files to attacker-chosen locations on the victim's filesystem by exploiting symlink extraction bypasses. This can lead to unauthorized modification or overwriting of sensitive user files such as shell configurations and SSH keys, and potentially critical system files if run with elevated privileges.
Such unauthorized file writes and potential data manipulation could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require safeguarding the integrity and confidentiality of sensitive data.
Therefore, exploitation of this vulnerability could compromise compliance with these regulations by enabling unauthorized access and modification of protected data or system configurations.