CVE-2026-35615: PraisonAI: path traversal exposes full filesystem via agent tools
GHSA-693f-pf34-72c5 CRITICAL CISA: TRACK*PraisonAI's file validation logic contains a critical flaw where `os.path.normpath()` collapses `..` sequences before the traversal check runs, rendering the protection completely inert — any path like `/tmp/../etc/passwd` passes validation and resolves to `/etc/passwd`. All seven file operation methods (read_file, write_file, list_files, copy_file, move_file, delete_file, download_file) are affected, giving anyone able to influence file path arguments — via prompt injection, crafted user input, or direct API call — unrestricted read and write access to the host filesystem with no authentication required and a CVSS of 9.2. PraisonAI has 6 other CVEs in the same package, suggesting a pattern of insufficient security review in this codebase. Upgrade to PraisonAI 1.5.113 immediately; if patching is blocked, disable FileTools or isolate the agent process in a container with no access to sensitive host paths.
What is the risk?
Critical risk. CVSS 9.2, no authentication or user interaction required, attack complexity trivial. Exploitation requires only the ability to pass a crafted file path — achievable via standard prompt injection against any PraisonAI agent that exposes file operations to user input. The symlink gap noted by the reporter adds a secondary bypass vector even if operators attempt manual mitigations. No CISA KEV listing and no known public exploits at time of analysis, but the simplicity of the bypass means weaponization latency will be short once the advisory gains visibility.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | <= 1.5.112 | 1.5.113 |
Do you use PraisonAI? You're affected.
How severe is it?
What should I do?
5 steps-
Patch immediately: upgrade to PraisonAI >= 1.5.113.
-
If patching is blocked, disable FileTools entirely or wrap the agent process in a container/VM restricted to a dedicated working directory with no access to sensitive paths.
-
OS-level hardening: run the agent as a low-privilege dedicated user with filesystem ACLs limiting read/write to the intended working directory.
-
Retrospective detection: audit application logs for file path arguments containing
.., references to /etc/, /root/, ~/.ssh/, or environment files outside the expected working directory. -
Long-term: add integration tests asserting that path traversal attempts raise exceptions before shipping updates to file-handling components; adopt a dedicated sandbox or seccomp profile for any agent with file system access.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35615?
PraisonAI's file validation logic contains a critical flaw where `os.path.normpath()` collapses `..` sequences before the traversal check runs, rendering the protection completely inert — any path like `/tmp/../etc/passwd` passes validation and resolves to `/etc/passwd`. All seven file operation methods (read_file, write_file, list_files, copy_file, move_file, delete_file, download_file) are affected, giving anyone able to influence file path arguments — via prompt injection, crafted user input, or direct API call — unrestricted read and write access to the host filesystem with no authentication required and a CVSS of 9.2. PraisonAI has 6 other CVEs in the same package, suggesting a pattern of insufficient security review in this codebase. Upgrade to PraisonAI 1.5.113 immediately; if patching is blocked, disable FileTools or isolate the agent process in a container with no access to sensitive host paths.
Is CVE-2026-35615 actively exploited?
No confirmed active exploitation of CVE-2026-35615 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-35615?
1. Patch immediately: upgrade to PraisonAI >= 1.5.113. 2. If patching is blocked, disable FileTools entirely or wrap the agent process in a container/VM restricted to a dedicated working directory with no access to sensitive paths. 3. OS-level hardening: run the agent as a low-privilege dedicated user with filesystem ACLs limiting read/write to the intended working directory. 4. Retrospective detection: audit application logs for file path arguments containing `..`, references to /etc/, /root/, ~/.ssh/, or environment files outside the expected working directory. 5. Long-term: add integration tests asserting that path traversal attempts raise exceptions before shipping updates to file-handling components; adopt a dedicated sandbox or seccomp profile for any agent with file system access.
What systems are affected by CVE-2026-35615?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI file processing pipelines, multi-agent systems, autonomous AI task executors.
What is the CVSS score for CVE-2026-35615?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0086 Exfiltration via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
### Executive Summary: The path validation has a critical logic bug: it checks for `..` AFTER `normpath()` has already collapsed all `..` sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the symlink wich could potentially cause path traversal. ### Details: `_validate_path()` calls `os.path.normpath()` first, which collapses `..` sequences, then checks for `'..'` in normalized. Since `..` is already collapsed, the check always passes. **Vulnerable File:** `src/praisonai-agents/praisonaiagents/tools/file_tools.py` **Lines:** 42-49 ```python class FileTools: """Tools for file operations including read, write, list, and information.""" @staticmethod def _validate_path(filepath: str) -> str: # Normalize the path normalized = os.path.normpath(filepath) absolute = os.path.abspath(normalized) # Check for path traversal attempts (.. after normalization) # We check the original input for '..' to catch traversal attempts if '..' in normalized: raise ValueError(f"Path traversal detected: {filepath}") return absolute ``` **Severity:** CRITICAL **CVSS v3.1:** 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N **CWE:** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ### Proof of concept (PoC) **Prerequisites:** - Ability to specify a file path can call file operations **Steps to reproduce:** poc.py ```python from praisonaiagents.tools.file_tools import FileTools print(FileTools._validate_path('/tmp/../etc/passwd')) # Returns: /etc/passwd print(FileTools.read_file('/tmp/../etc/passwd')) # Returns: content of /etc/passwd ``` **Why this works:** ```python # Current vulnerable code: normalized = os.path.normpath(filepath) # Collapses .. HERE absolute = os.path.abspath(normalized) if '..' in normalized: # Check AFTER collapse - ALWAYS FALSE! raise ValueError(...) ``` ### Impact: - **Complete bypass** of path traversal protection - Access to ANY file on the system with path from any starting directory - Read sensitive files: `/etc/passwd`, `/etc/shadow`, `~/.ssh/id_rsa` - Write arbitrary files if combined with write operations - Affect file operations `read_file`, `write_file`, `list_files`, `get_file_info`, `copy_file`, `move_file`, `delete_file`, `download_file` ### Additional Notes: - **Fix:** Check for `'..' in filepath` BEFORE calling `normpath()`, not after - `_validate_path` uses `os.path.normpath` and `os.path.abspath`, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.
Exploitation Scenario
An adversary targeting an organization running a PraisonAI-powered document processing agent sends a crafted query: 'Read the file at /tmp/../etc/ssh/sshd_config'. The agent passes this to `_validate_path()`, which calls `os.path.normpath('/tmp/../etc/ssh/sshd_config')` → `/etc/ssh/sshd_config`, then checks `'..' in '/etc/ssh/sshd_config'` → False, and returns the path without error. The agent reads and returns the full file contents. The adversary escalates: subsequent requests exfiltrate /etc/passwd, /root/.ssh/id_rsa, and .env files containing database credentials and API keys. If write access is available, the adversary plants a backdoor in a startup script or overwrites application configuration to redirect outbound traffic to an attacker-controlled endpoint.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai CVE-2026-39890 9.8 PraisonAI: YAML deserialization enables unauthenticated RCE
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai