Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with low complexity; low privilege and required interaction confirmed by CVSS 4.0 PR:L/UI:P; high confidentiality impact only, no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep_search, glob_search, read_file, or list_directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.
AnalysisAI
Path traversal in PraisonAI's FastContext feature (praisonaiagents before 1.6.78) enables low-privileged network attackers to read arbitrary files outside the intended workspace sandbox. FastContextAgent.execute_tool() applies the workspace_path prefix only to relative paths, neither rejecting absolute path arguments nor canonicalizing joined paths before enforcing containment - meaning file-operation tools (grep_search, glob_search, read_file, list_directory) can be exploited with '../' sequences or direct absolute paths to exfiltrate host files. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the FastContext feature (praisonaiagents.context.fast module) to be instantiated and actively used - deployments that do not use FastContextAgent are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, score 6.9) signals network reachability with low complexity, low-privilege authentication, a user-interaction component, and high confidentiality impact limited to the vulnerable system with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to a PraisonAI deployment - or an adversary who achieves prompt injection into a FastContext-enabled agent - supplies a crafted tool argument such as /etc/passwd or ../../../../home/app/.ssh/id_rsa to the read_file or grep_search tool. Because execute_tool() neither rejects the absolute path nor canonicalizes the joined traversal sequence, the file is read and its contents returned directly to the attacker or injected into the model's context, potentially leaking credentials or private keys. … |
| Remediation | Upgrade praisonaiagents to version 1.6.78 or later, which resolves the path traversal per the vendor security advisory (GHSA-4xxv-6wmf-xf45) via upstream commit 1620b49f36945d8cc8ee5635b906c960df5097a0 (https://github.com/MervinPraison/PraisonAI/commit/1620b49f36945d8cc8ee5635b906c960df5097a0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42898
GHSA-3f4v-mp44-x4x2