Python
CVE-2026-35615
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Executive Summary:
The path validation has a critical logic bug: it checks for .. AFTER normpath() has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the symlink wich could potentially cause path traversal.
Details:
_validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes.
Vulnerable File: src/praisonai-agents/praisonaiagents/tools/file_tools.py
Lines: 42-49
class FileTools:
"""Tools for file operations including read, write, list, and information."""
@staticmethod
def _validate_path(filepath: str) -> str:
# Normalize the path
normalized = os.path.normpath(filepath)
absolute = os.path.abspath(normalized)
# Check for path traversal attempts (.. after normalization)
# We check the original input for '..' to catch traversal attempts
if '..' in normalized:
raise ValueError(f"Path traversal detected: {filepath}")
return absoluteSeverity: CRITICAL
CVSS v3.1: 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Proof of concept (PoC)
Prerequisites:
- Ability to specify a file path can call file operations
Steps to reproduce: poc.py
from praisonaiagents.tools.file_tools import FileTools
print(FileTools._validate_path('/tmp/../etc/passwd'))
# Returns: /etc/passwd
print(FileTools.read_file('/tmp/../etc/passwd'))
# Returns: content of /etc/passwdWhy this works:
# Current vulnerable code:
normalized = os.path.normpath(filepath)
# Collapses .. HERE
absolute = os.path.abspath(normalized)
if '..' in normalized:
# Check AFTER collapse - ALWAYS FALSE!
raise ValueError(...)Impact:
- Complete bypass of path traversal protection
- Access to ANY file on the system with path from any starting directory
- Read sensitive files:
/etc/passwd,/etc/shadow,~/.ssh/id_rsa - Write arbitrary files if combined with write operations
- Affect file operations
read_file,write_file,list_files,get_file_info,copy_file,move_file,delete_file,download_file
Additional Notes:
- Fix: Check for
'..' in filepathBEFORE callingnormpath(), not after _validate_pathusesos.path.normpathandos.path.abspath, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.
AnalysisAI
Path traversal in PraisonAI Agents (praisonai-agents Python package) allows remote unauthenticated attackers to read arbitrary files from the system. The vulnerability exists in FileTools class methods (_validate_path, read_file, write_file, and others) due to a critical logic error: the code checks for '..' sequences AFTER os.path.normpath() already collapsed them, rendering the validation completely ineffective. Exploitation requires no special conditions beyond the ability to specify file paths to affected methods. EPSS probability is low (0.06%, 20th percentile), and vendor patch v4.5.113 is available per GitHub advisory GHSA-693f-pf34-72c5. No active exploitation (CISA KEV) confirmed at time of analysis.
Technical ContextAI
The vulnerability affects the PraisonAI Agents Python package (pkg:pip/praisonai), specifically in the FileTools utility class within src/praisonai-agents/praisonaiagents/tools/file_tools.py. This is a classic CWE-22 path traversal flaw caused by incorrect order of operations in path validation. The _validate_path() method first calls os.path.normpath() which collapses all '../' directory traversal sequences into their resolved form (e.g., '/tmp/../etc/passwd' becomes '/etc/passwd'), then checks if '..' exists in the normalized result. Since normpath() has already removed the '..' strings, the security check never triggers. Additionally, the code uses os.path.abspath() rather than os.path.realpath(), meaning symbolic links are not resolved, creating a secondary path traversal vector if attackers control symlinks. This vulnerability affects all file operation methods in the class including read_file, write_file, list_files, get_file_info, copy_file, move_file, delete_file, and download_file. The flaw represents a fundamental misunderstanding of when path sanitization must occur relative to path normalization in secure coding practices.
RemediationAI
Upgrade praisonai-agents to version 4.5.113 or later immediately. Install via pip: 'pip install --upgrade praisonai-agents>=4.5.113'. Vendor-released patch confirmed in GitHub release v4.5.113 at https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113. The patch corrects the validation logic to check for '..' in the original filepath BEFORE normalization, and implements proper symlink resolution using os.path.realpath(). If immediate upgrade is not possible, implement compensating controls: (1) Implement application-level input validation that rejects any file path containing '..' sequences before passing to FileTools methods; (2) Restrict FileTools usage to a chroot jail or container with minimal file system access; (3) Use allowlist-based path validation that only permits access to explicitly defined directories (e.g., '/var/app/data/*') rather than denylisting bad patterns; (4) Run the application with minimal filesystem permissions using a dedicated low-privilege service account; (5) Monitor file access patterns for anomalies (attempts to read /etc/passwd, /etc/shadow, ~/.ssh/* files). Note that compensating control (1) prevents traversal but doesn't address symlink issues - only the vendor patch fully resolves both vectors. Do not rely solely on the vulnerable _validate_path() method until patched.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-693f-pf34-72c5