Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
Published: 2026-04-09
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Read
Action: Immediate Patch
AI Analysis

Impact

The read_skill_file() function in PraisonAIAgents accepts a skill_path parameter without any restriction. Unlike other file access helpers, it does not enforce a workspace boundary or require an approval gate. As a result, an attacker who can influence an agent’s prompt can supply a crafted path and exfiltrate arbitrary files from the host filesystem. This flaw leads to a confidentiality breach but does not directly impact availability or integrity of the system.

Affected Systems

The vulnerability affects the PraisonAIAgents product by MervinPraison. All instances running a version earlier than 1.5.128 are susceptible to arbitrary file reads through the unprotected read_skill_file() routine.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. The EPSS score is not available, so the current exploit probability is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw requires an attacker to inject a prompt that reaches the agent, the attack vector is likely local or within an environment where prompt injection is possible; it is inferred that remote exploitation would depend on additional interfaces that accept untrusted prompts.

Generated by OpenCVE AI on April 9, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PraisonAIAgents to version 1.5.128 or newer
  • Restrict or sanitize prompt inputs to prevent prompt injection into agents
  • Enable audit logging for file access by agents and review logs for anomalous activity

Generated by OpenCVE AI on April 9, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-grrg-5cg9-58pf PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
History

Fri, 17 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonaiagents

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonaiagents

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
Title PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Mervinpraison Praisonaiagents
Praison Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:14:21.572Z

Reserved: 2026-04-09T01:41:38.537Z

Link: CVE-2026-40117

cve-icon Vulnrichment

Updated: 2026-04-10T18:14:17.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:35.447

Modified: 2026-04-17T18:23:42.337

Link: CVE-2026-40117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:53Z

Weaknesses