Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that recipe will write files outside the output directory they selected. This is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. This vulnerability is fixed in 1.5.113.
Published: 2026-04-07
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Patch
AI Analysis

Impact

A path traversal flaw in the recipe registry pull flow of PraisonAI allows an attacker to upload a tar archive containing "../" entries. When a user later pulls that recipe, the client extracts the archive without validating member paths, writing files outside the chosen output directory and potentially overwriting critical files. Because the malicious entries are part of the signed bundle, checksum verification does not prevent the attack. This results in an arbitrary file write on the client machine.

Affected Systems

The vulnerability affects the PraisonAI multi‑agent teams system from the vendor MervinPraison. It is present in all releases prior to version 1.5.113 and impacts both local registry pulls and HTTP registry pulls.

Risk and Exploitability

The CVSS score of 7.3 denotes a high severity issue. While no EPSS score is provided and the flaw is not listed in the KEV catalog, the attack vector requires a malicious publisher to supply a crafted recipe bundle and a victim to pull that bundle. An affected user can therefore write files at arbitrary paths, exposing the system to potential privilege escalation or persistence, and the vulnerability is exploitable from the client side.

Generated by OpenCVE AI on April 7, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 1.5.113 or newer to apply the vendor fix that validates archive member paths.
  • Verify that all client installations have been updated and are running the patched version.
  • If an upgrade cannot be performed quickly, restrict recipe pulls to trusted sources and consider implementing an additional check that rejects archive members containing path traversal sequences before extraction.

Generated by OpenCVE AI on April 7, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4rx4-4r3x-6534 PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
History

Thu, 16 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Thu, 09 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that recipe will write files outside the output directory they selected. This is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. This vulnerability is fixed in 1.5.113.
Title PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:31:31.939Z

Reserved: 2026-04-06T19:31:07.265Z

Link: CVE-2026-39306

cve-icon Vulnrichment

Updated: 2026-04-07T18:31:27.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:36.470

Modified: 2026-04-16T01:23:37.567

Link: CVE-2026-39306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:42Z

Weaknesses