CVE-2026-39305

Aliases:GHSA-jfxc-v5g9-38xr
Published: 06 Apr 2026, 23:09
Last modified:06 Apr 2026, 23:20

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9 CRITICAL
3.1 (osv_pypi)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

06 Apr 2026, 23:09
Published
Vulnerability first disclosed
06 Apr 2026, 23:20
Last Modified
Vulnerability information updated

Description

PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (`../`) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. ### Details Location: `src/praisonai/praisonai/cli/features/action_orchestrator.py` (Lines 402, 409, 423) Vulnerable Code snippet: ```python target = workspace / step.target ``` In the `_apply_step` method, paths are constructed by concatenating the `workspace` path with a user-supplied `step.target` string: `target = workspace / step.target`. The code fails to resolve and validate that the final absolute path remains within the bounds of the `workspace` directory. When processing `FILE_CREATE` or `FILE_EDIT` actions, this flaw permits arbitrary file modification. ### PoC Construct a malicious `ActionStep` payload with path traversal characters: ```python from praisonai.cli.features.action_orchestrator import ActionStep, ActionType, ActionStatus # Payload targeting a file outside the workspace step = ActionStep( id="test_traversal", action_type=ActionType.FILE_CREATE, description="Malicious file write", target="../../../../../../../tmp/orchestrator_pwned.txt", params={"content": "pwned"}, status=ActionStatus.APPROVED ) # When the orchestrator applies this step, it writes to the traversed path # _apply_step(step) ``` ### Impact This is an Arbitrary File Write vulnerability. Anyone running the Action Orchestrator to apply modifications is vulnerable. A malicious prompt could trick the agent into generating a plan that overwrites critical files (e.g., `~/.ssh/authorized_keys`, `.bashrc`) leading to Remote Code Execution (RCE) or system corruption.

CVSS Metrics

  • v3.1CRITICALScore: 9CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Affected Systems

  • PyPIpraisonai

    < 4.5.113

References (3)