Skip to main content

Python CVE-2026-35615

CRITICAL
Path Traversal (CWE-22)
2026-04-06 https://github.com/MervinPraison/PraisonAI GHSA-693f-pf34-72c5
9.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 16, 2026 - 01:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:47 vuln.today
cvss_changed
Patch released
Apr 07, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 06, 2026 - 23:31 vuln.today
CVE Published
Apr 06, 2026 - 23:09 nvd
CRITICAL 9.2

DescriptionGitHub Advisory

Executive Summary:

The path validation has a critical logic bug: it checks for .. AFTER normpath() has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the symlink wich could potentially cause path traversal.

Details:

_validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes.

Vulnerable File: src/praisonai-agents/praisonaiagents/tools/file_tools.py

Lines: 42-49

python
class FileTools:
    """Tools for file operations including read, write, list, and information."""

    @staticmethod
    def _validate_path(filepath: str) -> str:
# Normalize the path
        normalized = os.path.normpath(filepath)
        absolute = os.path.abspath(normalized)
# Check for path traversal attempts (.. after normalization)
# We check the original input for '..' to catch traversal attempts
        if '..' in normalized:
            raise ValueError(f"Path traversal detected: {filepath}")

        return absolute

Severity: CRITICAL

CVSS v3.1: 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Proof of concept (PoC)

Prerequisites:

  • Ability to specify a file path can call file operations

Steps to reproduce: poc.py

python
from praisonaiagents.tools.file_tools import FileTools

print(FileTools._validate_path('/tmp/../etc/passwd'))
# Returns: /etc/passwd

print(FileTools.read_file('/tmp/../etc/passwd'))
# Returns: content of /etc/passwd

Why this works:

python
# Current vulnerable code:
normalized = os.path.normpath(filepath)
# Collapses .. HERE
absolute = os.path.abspath(normalized)
if '..' in normalized:
# Check AFTER collapse - ALWAYS FALSE!
    raise ValueError(...)

Impact:

  • Complete bypass of path traversal protection
  • Access to ANY file on the system with path from any starting directory
  • Read sensitive files: /etc/passwd, /etc/shadow, ~/.ssh/id_rsa
  • Write arbitrary files if combined with write operations
  • Affect file operations read_file, write_file, list_files, get_file_info, copy_file, move_file, delete_file, download_file

Additional Notes:

  • Fix: Check for '..' in filepath BEFORE calling normpath(), not after
  • _validate_path uses os.path.normpath and os.path.abspath, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.

AnalysisAI

Path traversal in PraisonAI Agents (praisonai-agents Python package) allows remote unauthenticated attackers to read arbitrary files from the system. The vulnerability exists in FileTools class methods (_validate_path, read_file, write_file, and others) due to a critical logic error: the code checks for '..' sequences AFTER os.path.normpath() already collapsed them, rendering the validation completely ineffective. Exploitation requires no special conditions beyond the ability to specify file paths to affected methods. EPSS probability is low (0.06%, 20th percentile), and vendor patch v4.5.113 is available per GitHub advisory GHSA-693f-pf34-72c5. No active exploitation (CISA KEV) confirmed at time of analysis.

Technical ContextAI

The vulnerability affects the PraisonAI Agents Python package (pkg:pip/praisonai), specifically in the FileTools utility class within src/praisonai-agents/praisonaiagents/tools/file_tools.py. This is a classic CWE-22 path traversal flaw caused by incorrect order of operations in path validation. The _validate_path() method first calls os.path.normpath() which collapses all '../' directory traversal sequences into their resolved form (e.g., '/tmp/../etc/passwd' becomes '/etc/passwd'), then checks if '..' exists in the normalized result. Since normpath() has already removed the '..' strings, the security check never triggers. Additionally, the code uses os.path.abspath() rather than os.path.realpath(), meaning symbolic links are not resolved, creating a secondary path traversal vector if attackers control symlinks. This vulnerability affects all file operation methods in the class including read_file, write_file, list_files, get_file_info, copy_file, move_file, delete_file, and download_file. The flaw represents a fundamental misunderstanding of when path sanitization must occur relative to path normalization in secure coding practices.

RemediationAI

Upgrade praisonai-agents to version 4.5.113 or later immediately. Install via pip: 'pip install --upgrade praisonai-agents>=4.5.113'. Vendor-released patch confirmed in GitHub release v4.5.113 at https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113. The patch corrects the validation logic to check for '..' in the original filepath BEFORE normalization, and implements proper symlink resolution using os.path.realpath(). If immediate upgrade is not possible, implement compensating controls: (1) Implement application-level input validation that rejects any file path containing '..' sequences before passing to FileTools methods; (2) Restrict FileTools usage to a chroot jail or container with minimal file system access; (3) Use allowlist-based path validation that only permits access to explicitly defined directories (e.g., '/var/app/data/*') rather than denylisting bad patterns; (4) Run the application with minimal filesystem permissions using a dedicated low-privilege service account; (5) Monitor file access patterns for anomalies (attempts to read /etc/passwd, /etc/shadow, ~/.ssh/* files). Note that compensating control (1) prevents traversal but doesn't address symlink issues - only the vendor patch fully resolves both vectors. Do not rely solely on the vulnerable _validate_path() method until patched.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-35615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy