Description
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns — the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34.
Published: 2026-05-08
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI's Model Context Protocol (MCP) server registers several file‑handling tools that assemble user‑supplied filenames into a path under the application's rules directory without validating containment. This oversight allows an attacker to traverse outside the intended directory using a crafted rule name such as `../../etc/shadow`, thereby creating or overwriting any file the running user can write. If the attacker then drops a Python `.pth` file into the user’s site‑packages directory, the Python interpreter will load it on the next run, resulting in arbitrary code execution under the user’s privileges.

Affected Systems

The vulnerable implementation exists in all releases of PraisonAI older than version 4.6.34. The software is distributed by MervinPraison under the product name PraisonAI, a multi‑agent teams system. Clients that expose the MCP server to potentially malicious callers, or that operate under an account with broad filesystem permissions, are susceptible. No specific version numbering beyond the pre‑4.6.34 threshold is listed, so any prerelease lacking the patch is impacted.

Risk and Exploitability

The CVSS score of 9.4 classifies this flaw as critical, and while no EPSS value is currently available, the lack of containment and the ability to drop a Python `.pth` file suggest a high exploitation probability in environments where the MCP server is reachable. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation provides remote attackers with full code execution that can affect data confidentiality, integrity, and availability for any process spawned by the affected user.

Generated by OpenCVE AI on May 8, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.6.34 or later, which removes the path traversal and .pth injection flaw.
  • Scan the user’s site‑packages directory for any `.pth` files that were placed there and delete them, or disable automatic loading of `.pth` files if possible.
  • Restrict network access to the MCP server or place it behind a firewall to limit exposure to trusted hosts only.

Generated by OpenCVE AI on May 8, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns — the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34.
Title PraisonAI MCP `tools/call` path-traversal and RCE via Python `.pth` injection
Weaknesses CWE-20
CWE-22
CWE-829
CWE-913
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T13:32:33.605Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44336

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:46.437

Modified: 2026-05-08T19:08:29.237

Link: CVE-2026-44336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:00:14Z

Weaknesses