EUVD-2026-21164
GHSA-grrg-5cg9-58pf
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
Analysis
PraisonAIAgents versions prior to 1.5.128 allow unauthenticated local attackers to read arbitrary files from the filesystem via the read_skill_file() function in skill_tools.py, which lacks the workspace boundary protections and approval requirements enforced by comparable file access functions. An agent subjected to prompt injection can exfiltrate sensitive files without user awareness or approval prompts, enabling confidentiality compromise with CVSS 6.2 (local attack vector, high confidentiality impact). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today