CVE-2026-35615 — CRITICAL

CISO Take

PraisonAI's file validation logic contains a critical flaw where `os.path.normpath()` collapses `..` sequences before the traversal check runs, rendering the protection completely inert — any path like `/tmp/../etc/passwd` passes validation and resolves to `/etc/passwd`. All seven file operation methods (read_file, write_file, list_files, copy_file, move_file, delete_file, download_file) are affected, giving anyone able to influence file path arguments — via prompt injection, crafted user input, or direct API call — unrestricted read and write access to the host filesystem with no authentication required and a CVSS of 9.2. PraisonAI has 6 other CVEs in the same package, suggesting a pattern of insufficient security review in this codebase. Upgrade to PraisonAI 1.5.113 immediately; if patching is blocked, disable FileTools or isolate the agent process in a container with no access to sensitive host paths.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

Critical risk. CVSS 9.2, no authentication or user interaction required, attack complexity trivial. Exploitation requires only the ability to pass a crafted file path — achievable via standard prompt injection against any PraisonAI agent that exposes file operations to user input. The symlink gap noted by the reporter adds a secondary bypass vector even if operators attempt manual mitigations. No CISA KEV listing and no known public exploits at time of analysis, but the simplicity of the bypass means weaponization latency will be short once the advisory gains visibility.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 1.5.112	`1.5.113`
1 dependents 84% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What should I do?

5 steps

Patch immediately: upgrade to PraisonAI >= 1.5.113.
If patching is blocked, disable FileTools entirely or wrap the agent process in a container/VM restricted to a dedicated working directory with no access to sensitive paths.
OS-level hardening: run the agent as a low-privilege dedicated user with filesystem ACLs limiting read/write to the intended working directory.
Retrospective detection: audit application logs for file path arguments containing .., references to /etc/, /root/, ~/.ssh/, or environment files outside the expected working directory.
Long-term: add integration tests asserting that path traversal attempts raise exceptions before shipping updates to file-handling components; adopt a dedicated sandbox or seccomp profile for any agent with file system access.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Agent Framework AML.T0010.005 - AI Agent Tool AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.3 - AI system security

NIST AI RMF

MANAGE 3.1 - Responses to the risks or impacts of AI systems are developed, monitored, and documented

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35615?

PraisonAI's file validation logic contains a critical flaw where `os.path.normpath()` collapses `..` sequences before the traversal check runs, rendering the protection completely inert — any path like `/tmp/../etc/passwd` passes validation and resolves to `/etc/passwd`. All seven file operation methods (read_file, write_file, list_files, copy_file, move_file, delete_file, download_file) are affected, giving anyone able to influence file path arguments — via prompt injection, crafted user input, or direct API call — unrestricted read and write access to the host filesystem with no authentication required and a CVSS of 9.2. PraisonAI has 6 other CVEs in the same package, suggesting a pattern of insufficient security review in this codebase. Upgrade to PraisonAI 1.5.113 immediately; if patching is blocked, disable FileTools or isolate the agent process in a container with no access to sensitive host paths.

Is CVE-2026-35615 actively exploited?

No confirmed active exploitation of CVE-2026-35615 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35615?

1. Patch immediately: upgrade to PraisonAI >= 1.5.113. 2. If patching is blocked, disable FileTools entirely or wrap the agent process in a container/VM restricted to a dedicated working directory with no access to sensitive paths. 3. OS-level hardening: run the agent as a low-privilege dedicated user with filesystem ACLs limiting read/write to the intended working directory. 4. Retrospective detection: audit application logs for file path arguments containing `..`, references to /etc/, /root/, ~/.ssh/, or environment files outside the expected working directory. 5. Long-term: add integration tests asserting that path traversal attempts raise exceptions before shipping updates to file-handling components; adopt a dedicated sandbox or seccomp profile for any agent with file system access.

What systems are affected by CVE-2026-35615?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI file processing pipelines, multi-agent systems, autonomous AI task executors.

What is the CVSS score for CVE-2026-35615?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Executive Summary: The path validation has a critical logic bug: it checks for `..` AFTER `normpath()` has already collapsed all `..` sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the symlink wich could potentially cause path traversal. ### Details: `_validate_path()` calls `os.path.normpath()` first, which collapses `..` sequences, then checks for `'..'` in normalized. Since `..` is already collapsed, the check always passes. **Vulnerable File:** `src/praisonai-agents/praisonaiagents/tools/file_tools.py` **Lines:** 42-49 ```python class FileTools: """Tools for file operations including read, write, list, and information.""" @staticmethod def _validate_path(filepath: str) -> str: # Normalize the path normalized = os.path.normpath(filepath) absolute = os.path.abspath(normalized) # Check for path traversal attempts (.. after normalization) # We check the original input for '..' to catch traversal attempts if '..' in normalized: raise ValueError(f"Path traversal detected: {filepath}") return absolute ``` **Severity:** CRITICAL **CVSS v3.1:** 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N **CWE:** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ### Proof of concept (PoC) **Prerequisites:** - Ability to specify a file path can call file operations **Steps to reproduce:** poc.py ```python from praisonaiagents.tools.file_tools import FileTools print(FileTools._validate_path('/tmp/../etc/passwd')) # Returns: /etc/passwd print(FileTools.read_file('/tmp/../etc/passwd')) # Returns: content of /etc/passwd ``` **Why this works:** ```python # Current vulnerable code: normalized = os.path.normpath(filepath) # Collapses .. HERE absolute = os.path.abspath(normalized) if '..' in normalized: # Check AFTER collapse - ALWAYS FALSE! raise ValueError(...) ``` ### Impact: - **Complete bypass** of path traversal protection - Access to ANY file on the system with path from any starting directory - Read sensitive files: `/etc/passwd`, `/etc/shadow`, `~/.ssh/id_rsa` - Write arbitrary files if combined with write operations - Affect file operations `read_file`, `write_file`, `list_files`, `get_file_info`, `copy_file`, `move_file`, `delete_file`, `download_file` ### Additional Notes: - **Fix:** Check for `'..' in filepath` BEFORE calling `normpath()`, not after - `_validate_path` uses `os.path.normpath` and `os.path.abspath`, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.

Exploitation Scenario

An adversary targeting an organization running a PraisonAI-powered document processing agent sends a crafted query: 'Read the file at /tmp/../etc/ssh/sshd_config'. The agent passes this to `_validate_path()`, which calls `os.path.normpath('/tmp/../etc/ssh/sshd_config')` → `/etc/ssh/sshd_config`, then checks `'..' in '/etc/ssh/sshd_config'` → False, and returns the path without error. The agent reads and returns the full file contents. The adversary escalates: subsequent requests exfiltrate /etc/passwd, /root/.ssh/id_rsa, and .env files containing database credentials and API keys. If write access is available, the adversary plants a backdoor in a startup script or overwrites application configuration to redirect outbound traffic to an attacker-controlled endpoint.