CVE-2026-60088
Received Received - Intake

Path Traversal in PraisonAI Custom Command Templates

Vulnerability report for CVE-2026-60088, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outside_secret.txt or absolute paths in project command files to exfiltrate process-readable files into model prompts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
praisonai praisonai to 4.6.78 (exc)
mervinpraison praisonai to 4.6.78 (exc)
mervinpraison praisonai From 4.6.65 (inc) to 4.6.71 (inc)
mervinpraison praisonai 4.6.78

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in PraisonAI versions before 4.6.78 allows attackers to read files outside the intended workspace by exploiting improper validation of file path references in custom command templates.

Attackers can include path traversal sequences like @../outside_secret.txt or absolute file paths in project command files. When a user runs such a command, PraisonAI reads the referenced file and includes its contents in the prompt sent to the model or provider.

This happens because the interpolation code expands file references without verifying that they remain within the project directory, leading to a confidentiality issue.

The vulnerability requires user interaction, as the operator must run the malicious command for the file exfiltration to occur.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files outside the workspace by including their contents in model prompts.

An attacker who can add or modify a repository can create malicious command templates that exfiltrate confidential or sensitive information readable by the process.

Because the vulnerability involves reading files outside the intended directory, it poses a confidentiality risk, potentially exposing secrets or private data.

The attack requires user interaction, meaning the operator must run the malicious command, which may limit the attack surface but still represents a significant risk.

Detection Guidance

This vulnerability arises from the ability of attackers to include path traversal sequences or absolute paths in custom command templates within PraisonAI, which then read files outside the workspace. Detection involves monitoring or auditing project command files for suspicious file path references such as '@../' or absolute paths that point outside the intended project directory.

Since the vulnerability requires user interaction to run malicious commands, detection can also include reviewing command execution logs for commands that reference external file paths or unusual file reads.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade PraisonAI to version 4.6.78 or later, where the vulnerability has been fixed by resolving file paths against the project root before reading them.

Until the upgrade can be applied, avoid running untrusted or modified project command templates that may contain path traversal sequences or absolute file paths.

Additionally, restrict write access to project command files to trusted users only, to prevent attackers from adding malicious command templates.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart