Python
CVE-2026-39308
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400.
This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it.
Details
The bug is caused by the order of operations between the HTTP handler and the registry storage layer.
RegistryServer._handle_publish()insrc/praisonai/praisonai/recipe/server.py:370-426parsesPOST /v1/recipes/{name}/{version}, writes the uploaded.praisonfile to a temporary path, and immediately calls:
result = self.registry.publish(tmp_path, force=force)LocalRegistry.publish()insrc/praisonai/praisonai/recipe/registry.py:214-287opens the uploaded tarball, readsmanifest.json, and trusts the attacker-controllednameandversionfields:
name = manifest.get("name")
version = manifest.get("version")
recipe_dir = self.recipes_path / name / version
recipe_dir.mkdir(parents=True, exist_ok=True)
bundle_name = f"{name}-{version}.praison"
dest_path = recipe_dir / bundle_name
shutil.copy2(bundle_path, dest_path)- Validation helpers already exist in the same file:
def _validate_name(name: str) -> bool:
def _validate_version(version: str) -> bool:but they are not called before the filesystem write.
- Only after
publish()returns does the route compare the manifest values with the URL values:
if result["name"] != name or result["version"] != version:
self.registry.delete(result["name"], result["version"])
return self._error_response(...)At that point the out-of-root artifact has already been created. The request returns an error, but the write outside the registry root remains on disk.
Verified vulnerable behavior:
- Request path:
/v1/recipes/safe/1.0.0 - Internal manifest name:
../../outside-dir - Server response: HTTP
400 - Leftover artifact:
/tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison
This demonstrates that the write occurs before the consistency check and rollback.
PoC
Run the single verification script from the checked-out repository:
cd "/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI"
python3 tmp/pocs/poc.pyExpected vulnerable output:
[+] Publish response status: 400
{
"ok": false,
"error": "Bundle name/version (../../outside-dir@1.0.0) doesn't match URL (safe@1.0.0)",
"code": "error"
}
[+] Leftover artifact exists: True
[+] Artifact under registry root: False
[+] RESULT: VULNERABLE - upload was rejected, but an out-of-root artifact was still created.Then verify the artifact manually:
ls -l /tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison
find /tmp/praisonai-publish-traversal-poc -maxdepth 2 | sortWhat the script does internally:
- Starts a local PraisonAI recipe registry server.
- Builds a malicious
.praisonbundle whose internalmanifest.jsoncontainsname = ../../outside-dir. - Uploads that bundle to the apparently safe route
/v1/recipes/safe/1.0.0. - Receives the expected
400mismatch error. - Confirms that
outside-dir-1.0.0.praisonwas still written outside the configured registry directory.
Impact
This is a path traversal / arbitrary file write vulnerability in the recipe registry publish flow.
Impacted parties:
- Registry operators running the PraisonAI recipe registry service.
- Any deployment that allows remote recipe publication.
- Any environment where adjacent writable filesystem locations contain sensitive application data, service files, or staged content that could be overwritten or planted.
Security impact:
- Integrity impact is high because an attacker can create or overwrite files outside the registry root.
- Availability impact is possible if the attacker targets adjacent runtime or application files.
- The issue can be chained with other local loading or deployment behaviors if nearby files are later consumed by another component.
Remediation
- Validate
manifest.jsonnameandversionbefore any path join or filesystem write. Reject path separators,.., absolute paths, and any value that fails the existing_validate_name()/_validate_version()checks. - Resolve the final destination path and enforce that it remains under the configured registry root before calling
mkdir()orcopy2(). For example, compare the resolved destination againstself.recipes_path.resolve(). - Move the URL-to-manifest consistency check ahead of
self.registry.publish(...), or refactorpublish()so it receives already-validated route parameters instead of trusting attacker-controlled manifest values for storage paths.
AnalysisAI
Path traversal in PraisonAI's recipe registry publish endpoint allows authenticated users with publish access to write arbitrary files outside the configured registry root. The vulnerability affects the pip package 'praisonai' and stems from trusting attacker-controlled manifest.json name/version fields before validation, enabling directory traversal sequences like '../../' to bypass intended storage boundaries. While the malicious publish request returns HTTP 400, the out-of-bounds file write persists on disk. EPSS exploitation probability is low (0.06%, 18th percentile) with no active exploitation reported. Vendor patch available in version 4.5.113.
Technical ContextAI
PraisonAI implements a recipe registry system where users can publish recipe bundles as .praison tarball files containing a manifest.json descriptor. The publish flow in RegistryServer._handle_publish() accepts POST requests to /v1/recipes/{name}/{version}, extracts the uploaded tarball, and calls LocalRegistry.publish() which immediately uses the manifest's name and version fields to construct filesystem paths via Python's pathlib: 'recipe_dir = self.recipes_path / name / version'. This path concatenation occurs before validation helpers (_validate_name(), _validate_version()) are invoked, creating a classic TOCTOU (time-of-check-time-of-use) vulnerability. The CWE-22 path traversal arises because unsanitized path components containing '../' sequences are passed directly to Path.mkdir() and shutil.copy2(), allowing writes outside self.recipes_path. The subsequent URL-to-manifest consistency check correctly rejects mismatched requests with HTTP 400 and attempts cleanup via registry.delete(), but by that point the traversed file already exists on disk outside the registry root, where the cleanup logic cannot reach it.
RemediationAI
Upgrade PraisonAI to version 4.5.113 or later, which addresses the path traversal issue (release notes at https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113, advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f). For environments that cannot immediately upgrade, implement defense-in-depth mitigations: (1) Disable the recipe registry publish endpoint entirely if not required for operations-this eliminates the attack surface with no functional loss for deployments that only consume recipes. (2) If publish functionality is necessary, restrict network access to the registry server to trusted internal networks only via firewall rules or reverse proxy ACLs, and revoke publish tokens for any non-essential accounts-this reduces PR:L to a smaller set of highly trusted users but does not eliminate risk from compromised or malicious insiders. (3) Run the registry process under a dedicated service account with write permissions only to the registry root directory and no access to adjacent application or system directories-this contains the blast radius of arbitrary writes, though attackers may still cause DoS via disk exhaustion within the registry directory. Note that input validation alone (checking for '../' in manifest fields) is insufficient if not combined with path canonicalization checks, as the patch properly implements.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r9x3-wx45-2v7f