Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113.
Published: 2026-04-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Patch Immediately
AI Analysis

Impact

PraisonAI’s recipe registry publish endpoint processes a bundle’s internal manifest.json and creates files based on the path derived from that manifest before the server verifies that the manifest name and version match the HTTP route. A malicious publisher can embed directory traversal sequences, such as \'../\', in the manifest so the registry attempts to write files outside its configured root directory. Even though the request ultimately generates a 400 response, the write operation occurs. This results in an arbitrary file write that can overwrite critical system files or place malicious content on the server, potentially leading to privilege escalation or code execution.

Affected Systems

The vulnerability affects MervinPraison’s PraisonAI product in all releases prior to version 1.5.113. Any installation that exposes the recipe registry publish flow, whether publicly accessible or protected by a token, is susceptible. If the registry runs without authentication, any network client can trigger the flaw; if authentication is enabled, any user with publish permissions can exploit it.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, and although EPSS data is unavailable, the path‑traversal nature and network trigger suggest a relatively high likelihood of exploitation, especially on services that are openly exposed. Because the vulnerability is not listed in the CISA KEV catalog, there is no confirmed exploitation in the wild, but the threat remains significant for exposed deployments.

Generated by OpenCVE AI on April 7, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 1.5.113 or later.
  • Disable or restrict public access to the recipe registry publish endpoint if possible.
  • Ensure that authentication tokens used for publish access are issued only to trusted users and that token usage is logged.
  • Add a pre‑write validation step to check for directory traversal in the manifest before creating any files.
  • Configure the registry root directory with appropriate permissions so that write operations cannot affect files outside the intended area.

Generated by OpenCVE AI on April 7, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r9x3-wx45-2v7f PraisonAI recipe registry publish path traversal allows out-of-root file write
History

Thu, 16 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113.
Title PraisonAI recipe registry publish path traversal allows out-of-root file write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:18:05.184Z

Reserved: 2026-04-06T19:31:07.265Z

Link: CVE-2026-39308

cve-icon Vulnrichment

Updated: 2026-04-09T15:07:55.328Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:36.770

Modified: 2026-04-16T01:15:57.880

Link: CVE-2026-39308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:41Z

Weaknesses