CVE-2026-44340
Analyzed Analyzed - Analysis Complete
Path Traversal in PraisonAI via Symlink in Archive

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape β€” but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44340
EUVD
EUVD-2026-28643
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai to 4.6.37 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-44340 vulnerability in PraisonAI (versions up to 4.6.35) involves a flaw in the _safe_extractall function used during recipe pull, publish, and unpack operations. While the function validates archive member names to prevent absolute paths and path traversal, it fails to validate the linkname of symlink or hardlink members. This allows an attacker to craft a malicious bundle containing a symlink that points outside the intended extraction directory.

When this bundle is extracted, the symlink enables the attacker to write arbitrary files to locations outside the destination directory by following a file path that traverses the symlink. This bypasses the intended security checks and can lead to unauthorized file writes on the victim's filesystem.

Impact Analysis

This vulnerability can allow an attacker to overwrite arbitrary files on the victim's system by exploiting the symlink extraction bypass. Potential impacts include overwriting important user files such as shell configuration files or SSH keys, and if the extraction process runs with elevated privileges (e.g., as root), system files could also be overwritten.

Such unauthorized file writes can lead to system compromise, privilege escalation, or persistent backdoors, severely impacting the security and integrity of the affected system.

Detection Guidance

This vulnerability can be detected by monitoring the use of PraisonAI commands that extract or pull recipes, specifically `praisonai recipe unpack` and `praisonai recipe pull`. Suspicious activity may include extraction of bundles containing symlinks that point outside the intended destination directory.

To detect exploitation attempts, you can check for the presence of symlink or hardlink members in extracted bundles that point outside the expected directories.

While no explicit detection commands are provided, you can use commands to inspect extracted files and symlinks, for example:

  • Use `find` to locate symlinks in the extraction directory: `find /path/to/dest_dir -type l -ls`
  • Check where symlinks point: `readlink -f /path/to/symlink` to verify if they point outside the intended directory.
  • Audit logs or command history for usage of `praisonai recipe unpack` or `praisonai recipe pull` commands.
Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 4.6.37 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, avoid running `praisonai recipe unpack`, `praisonai recipe pull`, or recipe publish operations on untrusted bundles.

Additionally, review and modify the `_safe_extractall` function to either use the `filter="data"` parameter during extraction or add explicit checks to reject symlink and hardlink members that point outside the destination directory.

Limit the privileges of the user running PraisonAI commands to reduce the impact of potential exploitation.

Compliance Impact

The vulnerability allows an attacker to write arbitrary files to attacker-chosen locations on the victim's filesystem by exploiting symlink extraction bypasses. This can lead to unauthorized modification or overwriting of sensitive user files such as shell configurations and SSH keys, and potentially critical system files if run with elevated privileges.

Such unauthorized file writes and potential data manipulation could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require safeguarding the integrity and confidentiality of sensitive data.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by enabling unauthorized access and modification of protected data or system configurations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart