Skip to main content

Python CVE-2026-39308

HIGH
Path Traversal (CWE-22)
2026-04-06 https://github.com/MervinPraison/PraisonAI GHSA-r9x3-wx45-2v7f
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 16, 2026 - 01:47 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:38 vuln.today
cvss_changed
Patch released
Apr 07, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 06, 2026 - 23:31 vuln.today
CVE Published
Apr 06, 2026 - 23:09 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400.

This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it.

Details

The bug is caused by the order of operations between the HTTP handler and the registry storage layer.

  1. RegistryServer._handle_publish() in src/praisonai/praisonai/recipe/server.py:370-426 parses POST /v1/recipes/{name}/{version}, writes the uploaded .praison file to a temporary path, and immediately calls:
python
result = self.registry.publish(tmp_path, force=force)
  1. LocalRegistry.publish() in src/praisonai/praisonai/recipe/registry.py:214-287 opens the uploaded tarball, reads manifest.json, and trusts the attacker-controlled name and version fields:
python
name = manifest.get("name")
version = manifest.get("version")
recipe_dir = self.recipes_path / name / version
recipe_dir.mkdir(parents=True, exist_ok=True)
bundle_name = f"{name}-{version}.praison"
dest_path = recipe_dir / bundle_name
shutil.copy2(bundle_path, dest_path)
  1. Validation helpers already exist in the same file:
python
def _validate_name(name: str) -> bool:
def _validate_version(version: str) -> bool:

but they are not called before the filesystem write.

  1. Only after publish() returns does the route compare the manifest values with the URL values:
python
if result["name"] != name or result["version"] != version:
    self.registry.delete(result["name"], result["version"])
    return self._error_response(...)

At that point the out-of-root artifact has already been created. The request returns an error, but the write outside the registry root remains on disk.

Verified vulnerable behavior:

  • Request path: /v1/recipes/safe/1.0.0
  • Internal manifest name: ../../outside-dir
  • Server response: HTTP 400
  • Leftover artifact: /tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison

This demonstrates that the write occurs before the consistency check and rollback.

PoC

Run the single verification script from the checked-out repository:

bash
cd "/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI"
python3 tmp/pocs/poc.py

Expected vulnerable output:

text
[+] Publish response status: 400
{
  "ok": false,
  "error": "Bundle name/version (../../outside-dir@1.0.0) doesn't match URL (safe@1.0.0)",
  "code": "error"
}
[+] Leftover artifact exists: True
[+] Artifact under registry root: False
[+] RESULT: VULNERABLE - upload was rejected, but an out-of-root artifact was still created.

Then verify the artifact manually:

bash
ls -l /tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison
find /tmp/praisonai-publish-traversal-poc -maxdepth 2 | sort

What the script does internally:

  1. Starts a local PraisonAI recipe registry server.
  2. Builds a malicious .praison bundle whose internal manifest.json contains name = ../../outside-dir.
  3. Uploads that bundle to the apparently safe route /v1/recipes/safe/1.0.0.
  4. Receives the expected 400 mismatch error.
  5. Confirms that outside-dir-1.0.0.praison was still written outside the configured registry directory.

Impact

This is a path traversal / arbitrary file write vulnerability in the recipe registry publish flow.

Impacted parties:

  • Registry operators running the PraisonAI recipe registry service.
  • Any deployment that allows remote recipe publication.
  • Any environment where adjacent writable filesystem locations contain sensitive application data, service files, or staged content that could be overwritten or planted.

Security impact:

  • Integrity impact is high because an attacker can create or overwrite files outside the registry root.
  • Availability impact is possible if the attacker targets adjacent runtime or application files.
  • The issue can be chained with other local loading or deployment behaviors if nearby files are later consumed by another component.

Remediation

  1. Validate manifest.json name and version before any path join or filesystem write. Reject path separators, .., absolute paths, and any value that fails the existing _validate_name() / _validate_version() checks.
  2. Resolve the final destination path and enforce that it remains under the configured registry root before calling mkdir() or copy2(). For example, compare the resolved destination against self.recipes_path.resolve().
  3. Move the URL-to-manifest consistency check ahead of self.registry.publish(...), or refactor publish() so it receives already-validated route parameters instead of trusting attacker-controlled manifest values for storage paths.

AnalysisAI

Path traversal in PraisonAI's recipe registry publish endpoint allows authenticated users with publish access to write arbitrary files outside the configured registry root. The vulnerability affects the pip package 'praisonai' and stems from trusting attacker-controlled manifest.json name/version fields before validation, enabling directory traversal sequences like '../../' to bypass intended storage boundaries. While the malicious publish request returns HTTP 400, the out-of-bounds file write persists on disk. EPSS exploitation probability is low (0.06%, 18th percentile) with no active exploitation reported. Vendor patch available in version 4.5.113.

Technical ContextAI

PraisonAI implements a recipe registry system where users can publish recipe bundles as .praison tarball files containing a manifest.json descriptor. The publish flow in RegistryServer._handle_publish() accepts POST requests to /v1/recipes/{name}/{version}, extracts the uploaded tarball, and calls LocalRegistry.publish() which immediately uses the manifest's name and version fields to construct filesystem paths via Python's pathlib: 'recipe_dir = self.recipes_path / name / version'. This path concatenation occurs before validation helpers (_validate_name(), _validate_version()) are invoked, creating a classic TOCTOU (time-of-check-time-of-use) vulnerability. The CWE-22 path traversal arises because unsanitized path components containing '../' sequences are passed directly to Path.mkdir() and shutil.copy2(), allowing writes outside self.recipes_path. The subsequent URL-to-manifest consistency check correctly rejects mismatched requests with HTTP 400 and attempts cleanup via registry.delete(), but by that point the traversed file already exists on disk outside the registry root, where the cleanup logic cannot reach it.

RemediationAI

Upgrade PraisonAI to version 4.5.113 or later, which addresses the path traversal issue (release notes at https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113, advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f). For environments that cannot immediately upgrade, implement defense-in-depth mitigations: (1) Disable the recipe registry publish endpoint entirely if not required for operations-this eliminates the attack surface with no functional loss for deployments that only consume recipes. (2) If publish functionality is necessary, restrict network access to the registry server to trusted internal networks only via firewall rules or reverse proxy ACLs, and revoke publish tokens for any non-essential accounts-this reduces PR:L to a smaller set of highly trusted users but does not eliminate risk from compromised or malicious insiders. (3) Run the registry process under a dedicated service account with write permissions only to the registry root directory and no access to adjacent application or system directories-this contains the blast radius of arbitrary writes, though attackers may still cause DoS via disk exhaustion within the registry directory. Note that input validation alone (checking for '../' in manifest fields) is insufficient if not combined with path canonicalization checks, as the patch properly implements.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-39308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy