Skip to main content

PraisonAI CVE-2026-56078

| EUVDEUVD-2026-37962 HIGH
Path Traversal (CWE-22)
2026-06-18 VulnCheck GHSA-fwh2-95jw-g4j6
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable agent API with low-privilege caller controlling agent ID (PR:L); arbitrary file read/write yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 02:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 23:18 vuln.today
Analysis Generated
Jun 18, 2026 - 23:18 vuln.today

DescriptionCVE.org

PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. Attackers can include traversal sequences like ../ in agent IDs to read, write, or overwrite arbitrary files, enabling sensitive disclosure, denial of service, or code execution.

AnalysisAI

Path traversal in PraisonAI's MultiAgentMonitor component (versions <= 1.5.114) lets remote attackers who can supply agent identifiers read, write, or overwrite arbitrary files on the host by embedding '../' sequences in agent IDs. The flaw, disclosed by VulnCheck and tracked as GHSA-766v-q9x3-g744, enables information disclosure, denial of service, and potential code execution in multi-agent AI deployments; no public exploit identified at time of analysis but a detailed PoC is included in the advisory.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PraisonAI agent-creation interface
Delivery
Submit agent ID containing '../' traversal
Exploit
MultiAgentMonitor builds unsanitized file path
Execution
Read/write target file outside base_path
Persist
Overwrite executable or config
Impact
Trigger code execution or data exfiltration

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control or influence the agent ID string passed to MultiAgentMonitor (and/or MultiAgentLedger) - for example a web frontend, API, or chat interface that accepts user-chosen agent identifiers and forwards them to PraisonAI without filtering. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scores 8.7 and reflects a network-reachable, low-complexity, low-privilege flaw with high impact on confidentiality, integrity, and availability - consistent with arbitrary file read/write leading to possible code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker interacting with a PraisonAI-backed application supplies an agent ID such as '../../../../etc/cron.d/pwn' (or a Windows equivalent), causing MultiAgentMonitor to write attacker-controlled monitor content outside base_path; on a host where that path is executed by a privileged process, this escalates to code execution, while pointing the ID at sensitive files like SSH keys or application configs yields information disclosure. The advisory publishes a working PoC, so weaponization effort is low for any deployment exposing agent ID creation to untrusted callers.
Remediation Vendor-released patch: upgrade praisonaiagents to 1.5.115 or later (pip install --upgrade praisonaiagents), per GHSA-766v-q9x3-g744. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running PraisonAI ≤1.5.114 and determine if MultiAgentMonitor is exposed to untrusted networks; document current file system permissions and access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-56078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy