EUVD-2026-28643
GHSA-9q28-ghcr-c4x3
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape - but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.
AnalysisAI
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running PraisonAI and inventory current versions. Within 7 days: Contact PraisonAI vendor to confirm availability of patched version 4.6.37 or later; if available, begin staged testing in non-production environment. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today