Skip to main content

PraisonAI EUVDEUVD-2026-42898

| CVE-2026-61432 MEDIUM
Path Traversal (CWE-22)
2026-07-10 VulnCheck GHSA-3f4v-mp44-x4x2
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.7 MEDIUM

Network-reachable with low complexity; low privilege and required interaction confirmed by CVSS 4.0 PR:L/UI:P; high confidentiality impact only, no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 16:03 vuln.today

DescriptionCVE.org

PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep_search, glob_search, read_file, or list_directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.

AnalysisAI

Path traversal in PraisonAI's FastContext feature (praisonaiagents before 1.6.78) enables low-privileged network attackers to read arbitrary files outside the intended workspace sandbox. FastContextAgent.execute_tool() applies the workspace_path prefix only to relative paths, neither rejecting absolute path arguments nor canonicalizing joined paths before enforcing containment - meaning file-operation tools (grep_search, glob_search, read_file, list_directory) can be exploited with '../' sequences or direct absolute paths to exfiltrate host files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to FastContext-enabled agent endpoint
Delivery
Craft absolute path or '../' traversal argument
Exploit
Submit malicious tool call (read_file/grep_search/glob_search/list_directory)
Execution
execute_tool() skips path canonicalization and containment check
Impact
Arbitrary host file contents returned to attacker or injected into model context

Vulnerability AssessmentAI

Exploitation Exploitation requires the FastContext feature (praisonaiagents.context.fast module) to be instantiated and actively used - deployments that do not use FastContextAgent are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, score 6.9) signals network reachability with low complexity, low-privilege authentication, a user-interaction component, and high confidentiality impact limited to the vulnerable system with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege access to a PraisonAI deployment - or an adversary who achieves prompt injection into a FastContext-enabled agent - supplies a crafted tool argument such as /etc/passwd or ../../../../home/app/.ssh/id_rsa to the read_file or grep_search tool. Because execute_tool() neither rejects the absolute path nor canonicalizes the joined traversal sequence, the file is read and its contents returned directly to the attacker or injected into the model's context, potentially leaking credentials or private keys. …
Remediation Upgrade praisonaiagents to version 1.6.78 or later, which resolves the path traversal per the vendor security advisory (GHSA-4xxv-6wmf-xf45) via upstream commit 1620b49f36945d8cc8ee5635b906c960df5097a0 (https://github.com/MervinPraison/PraisonAI/commit/1620b49f36945d8cc8ee5635b906c960df5097a0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

EUVD-2026-42898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy