CVE-2026-60089
Received Received - Intake

Path Traversal in PraisonAI

Vulnerability report for CVE-2026-60089, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
praisonai praisonaiagents to 1.6.78 (exc)
mervinpraison praisonaiagents to 1.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60089 is a vulnerability in PraisonAI versions before 1.6.78 where the software automatically loads default settings from a project-local configuration file named .praisonai/config.toml without validating the output_file path specified in that file.

An attacker controlling the repository can set the output_file path to an absolute path or use directory traversal sequences (like ".."), causing PraisonAI to write agent output files outside the intended project directory.

When the developer calls agent.start() without explicitly specifying an output parameter, PraisonAI writes the response to the manipulated path, potentially overwriting files outside the project root with the privileges of the user running the software.

Impact Analysis

This vulnerability can allow an attacker to overwrite files outside the project directory on the user's system with the same privileges as the user running PraisonAI.

Such unauthorized file overwrites could lead to file corruption or replacement of user-writable files, potentially affecting system stability or security depending on which files are overwritten.

Because the output content is limited to agent responses, the impact is primarily related to file integrity rather than direct code execution, but it still poses a significant risk of data loss or tampering.

Detection Guidance

This vulnerability can be detected by inspecting the project-local configuration file located at .praisonai/config.toml for unsafe settings in the output_file path.

Specifically, look for absolute paths or path traversal sequences such as '..' in the output_file setting, which indicate potential exploitation.

Commands to help detect this include searching for the output_file setting with path traversal patterns in the configuration files, for example:

  • grep -r '\.praisonai/config.toml' . | xargs grep 'output_file'
  • grep -r '\.praisonai/config.toml' . | xargs grep -E 'output_file\s*=\s*"(/|\.\.)'

Additionally, monitoring file writes outside the project directory when agent.start() is called without an explicit output parameter can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade PraisonAI to version 1.6.78 or later, where the issue has been fixed.

If upgrading is not immediately possible, manually review and sanitize the .praisonai/config.toml file in your projects to ensure the output_file setting does not contain absolute paths or path traversal sequences.

Avoid running agent.start() without explicitly specifying a safe output parameter to prevent writing files outside the intended directory.

Implement access controls and restrict write permissions to sensitive directories to limit the impact of potential exploitation.

Compliance Impact

The vulnerability allows an attacker to overwrite files outside the project root directory with the privileges of the user running PraisonAI by exploiting path traversal in the output_file configuration. This unauthorized file overwrite could lead to data integrity issues and potential exposure or modification of sensitive information.

Such unauthorized file manipulation can impact compliance with standards like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. If sensitive personal or health data is overwritten or corrupted due to this vulnerability, it could result in violations of these regulations.

Therefore, the vulnerability poses a risk to compliance by enabling unauthorized modification of files, potentially including sensitive data, without proper validation or user consent.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart