Description
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the _safe_extractall helper used by PraisonAI's recipe pull, publish, and unpack flows. It validates archive member names for absolute paths and '..' segments, but ignores the linkname field and does not reject symlink or hardlink members. The helper calls tar.extractall(dest_dir) without a data filter, allowing a crafted bundle that contains a symlink pointing outside the intended extraction directory. A subsequent regular file that follows that symlink during extraction can write data to an attacker‑chosen location outside dest_dir. This flaw effectively permits an attacker to write arbitrary files to the filesystem. The weakness is a form of path traversal (CWE‑22) and absolute path traversal (CWE‑59).

Affected Systems

The vulnerable versions of PraisonAI (4.6.36 and earlier) from vendor MervinPraison are affected. The fix is available in version 4.6.37. All users running any of these affected versions should plan an upgrade to the patched release. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a severe vulnerability. EPSS is not available, and the issue is not listed in CISA's KEV catalog, but the potential impact remains high. It is inferred that the attacker must supply a malicious tar archive to a user or process that initiates extraction. As the extraction runs under the privileges of the PraisonAI service, an attacker can potentially write files to critical system locations. Therefore, the risk level is high, especially in environments where PraisonAI runs with elevated privileges or processes untrusted bundles.

Generated by OpenCVE AI on May 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.6.37 or later to apply the authoritative patch that validates link names and prevents arbitrary writes.
  • If an immediate upgrade is not possible, avoid using the recipe pull, publish, or unpack features with untrusted bundles; instead, quarantine or inspect such archives before use.
  • Run the extraction process under the least privilege necessary so that even if a symlink attack writes a file, it cannot affect critical system directories.

Generated by OpenCVE AI on May 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.
Title PraisonAI: Symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
Weaknesses CWE-22
CWE-59
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:22:36.847Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44340

cve-icon Vulnrichment

Updated: 2026-05-08T23:22:30.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:47.040

Modified: 2026-05-08T19:04:18.107

Link: CVE-2026-44340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:15:20Z

Weaknesses