CVE-2026-39305

The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (`../`) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. ### Details Location: `src/praisonai/praisonai/cli/features/action_orchestrator.py` (Lines 402, 409, 423) Vulnerable Code snippet: ```python target = workspace / step.target ``` In the `_apply_step` method, paths are constructed by concatenating the `workspace` path with a user-supplied `step.target` string: `target = workspace / step.target`. The code fails to resolve and validate that the final absolute path remains within the bounds of the `workspace` directory. When processing `FILE_CREATE` or `FILE_EDIT` actions, this flaw permits arbitrary file modification. ### PoC Construct a malicious `ActionStep` payload with path traversal characters: ```python from praisonai.cli.features.action_orchestrator import ActionStep, ActionType, ActionStatus # Payload targeting a file outside the workspace step = ActionStep( id="test_traversal", action_type=ActionType.FILE_CREATE, description="Malicious file write", target="../../../../../../../tmp/orchestrator_pwned.txt", params={"content": "pwned"}, status=ActionStatus.APPROVED ) # When the orchestrator applies this step, it writes to the traversed path # _apply_step(step) ``` ### Impact This is an Arbitrary File Write vulnerability. Anyone running the Action Orchestrator to apply modifications is vulnerable. A malicious prompt could trick the agent into generating a plan that overwrites critical files (e.g., `~/.ssh/authorized_keys`, `.bashrc`) leading to Remote Code Execution (RCE) or system corruption.