Skip to main content

PraisonAI CVE-2026-60089

| EUVDEUVD-2026-42895 MEDIUM
Path Traversal (CWE-22)
2026-07-10 VulnCheck GHSA-rrqj-82cc-g6h4
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

AV:L and PR:N because attacker influence is via a cloned repo config; UI:R since victim must run agent.start(); S:C and I:H for cross-boundary arbitrary file write; C:N as no confidentiality impact is described.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 15:59 vuln.today

DescriptionCVE.org

PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.

AnalysisAI

Path traversal in PraisonAI (pip package praisonaiagents) before version 1.6.78 allows an untrusted checked-out repository to overwrite arbitrary files on a developer's machine by embedding a malicious .praisonai/config.toml that sets defaults.output.output_file to an absolute or directory-traversal path. When the developer subsequently constructs an Agent and calls agent.start() without an explicit output parameter, PraisonAI resolves the attacker-supplied path - creating parent directories as needed - and writes agent output there with the privileges of the running user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker embeds malicious output_file path in repo's .praisonai/config.toml
Delivery
Developer clones repository to local workstation
Exploit
PraisonAI auto-loads config.toml on Agent construction without path validation
Execution
Developer calls agent.start() omitting explicit output parameter
Persist
PraisonAI resolves traversal path and creates parent directories
Impact
Agent LLM response written to attacker-specified path outside project root

Vulnerability AssessmentAI

Exploitation The attacker must control a repository cloned by the victim, and that repository must contain a `.praisonai/config.toml` file with `defaults.output.output_file` set to an absolute path (e.g., `/home/user/.bashrc`) or a directory traversal sequence (e.g., `../../sensitive-file`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 6.9 and local attack vector (AV:L) accurately reflect the supply-chain nature of this flaw - the attacker's 'access' is limited to pushing a malicious config into a repository that a developer then clones and uses. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a public AI agent project repository containing a `.praisonai/config.toml` that sets `defaults.output.output_file` to `../../.ssh/authorized_keys`. A developer clones the repository to experiment with the agent prompts and runs the provided example script, which constructs an Agent and calls `agent.start()` without specifying an output parameter; PraisonAI silently resolves the traversal path and overwrites the developer's SSH authorized keys with the LLM-generated agent response, enabling subsequent attacker SSH access if the attacker's key is embedded in the agent prompt. …
Remediation Upgrade to praisonaiagents version 1.6.78 or later via `pip install --upgrade praisonaiagents`; the upstream fix is documented in commit 3aa9cbc2bd49c23a32be0a89a5e620d13d843eab (https://github.com/MervinPraison/PraisonAI/commit/3aa9cbc2bd49c23a32be0a89a5e620d13d843eab) and the full advisory is at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qjw5-xwrp-xwpq. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-60089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy