CVE-2026-56078: PraisonAI path traversal → arbitrary

CISO Take

PraisonAI before 1.5.115 exposes a classic CWE-22 path traversal in its MultiAgentMonitor component: agent IDs passed to file-path builders are not sanitized, so an attacker can embed '../' sequences to read, overwrite, or create arbitrary files on the host. With a CVSS of 8.8 and an attack vector that is network-accessible, low-complexity, and requires only low privileges with no user interaction, the exploitation bar is essentially script-kiddie level — any authenticated user of a PraisonAI deployment can chain file-write access into remote code execution by overwriting startup scripts, cron jobs, or agent configuration files. The package carries 112 other CVEs, signaling a chronic hygiene deficit that raises the probability of chained exploits beyond this single finding. Upgrade to PraisonAI ≥ 1.5.115 immediately; if patching is not possible, restrict network access to the MultiAgentMonitor endpoint and enforce strict filesystem permissions on the user account running PraisonAI.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

HIGH. The combination of network-exposed attack surface (AV:N), trivial exploitation (AC:L, PR:L, UI:N), and a full CIA triad impact (C:H/I:H/A:H) places this near the top of practical exploit priority. Path traversal to arbitrary file write is a well-documented RCE primitive — attackers routinely leverage it to overwrite ~/.bashrc, crontabs, authorized_keys, or Python site-packages to achieve persistence and privilege escalation. The 112 CVEs on the same package suggest the codebase lacks systematic input validation, making this unlikely to be an isolated flaw. AI agent deployments are particularly exposed because they often run with elevated filesystem permissions to access model weights, configuration files, and API credentials.

How does the attack unfold?

Initial Access

Attacker authenticates to PraisonAI with any low-privilege account (or exploits weak/default credentials) to reach the MultiAgentMonitor API endpoint.

AML.T0049

Path Traversal Exploitation

Attacker submits crafted agent IDs containing '../' sequences to the MultiAgentMonitor, causing the application to resolve file paths outside the intended working directory.

AML.T0049

Credential & Config Harvesting

Attacker reads .env files, config YAMLs, and agent memory stores to extract LLM API keys, database credentials, and tool definitions stored on the host.

AML.T0083

Code Execution / Persistence

Attacker overwrites an agent tool script, Python module, or crontab entry with a reverse shell payload, achieving persistent remote code execution on the host running the AI agent orchestrator.

AML.T0081

Initial Access

Attacker authenticates to PraisonAI with any low-privilege account (or exploits weak/default credentials) to reach the MultiAgentMonitor API endpoint.

AML.T0049

Path Traversal Exploitation

Attacker submits crafted agent IDs containing '../' sequences to the MultiAgentMonitor, causing the application to resolve file paths outside the intended working directory.

AML.T0049

Credential & Config Harvesting

Attacker reads .env files, config YAMLs, and agent memory stores to extract LLM API keys, database credentials, and tool definitions stored on the host.

AML.T0083

Code Execution / Persistence

Attacker overwrites an agent tool script, Python module, or crontab entry with a reverse shell payload, achieving persistent remote code execution on the host running the AI agent orchestrator.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	—	No patch
1 dependents 83% patched ~0d to patch Full package profile →
PraisonAI Agents	pip	—	No patch
11 dependents 69% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade PraisonAI to ≥ 1.5.115 (fix confirmed in GitHub advisory GHSA-766v-q9x3-g744).
Network isolation: restrict access to the MultiAgentMonitor API endpoint at the network layer — it should not be publicly accessible.
Principle of least privilege: run PraisonAI processes under a dedicated low-privilege OS user with filesystem access scoped only to required directories.
Detection: audit logs for agent IDs containing '../', '%2e%2e', or encoded traversal sequences. Alert on any file access outside the expected working directory using auditd/eBPF-based tooling.
Secret rotation: if deployment was exposed, rotate all API keys, database credentials, and tokens stored in the application's configuration directories.
Inventory: scan for other PraisonAI instances across the environment — the package's 112-CVE history warrants a formal review of all versions in use.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Framework AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to manage risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56078?

PraisonAI before 1.5.115 exposes a classic CWE-22 path traversal in its MultiAgentMonitor component: agent IDs passed to file-path builders are not sanitized, so an attacker can embed '../' sequences to read, overwrite, or create arbitrary files on the host. With a CVSS of 8.8 and an attack vector that is network-accessible, low-complexity, and requires only low privileges with no user interaction, the exploitation bar is essentially script-kiddie level — any authenticated user of a PraisonAI deployment can chain file-write access into remote code execution by overwriting startup scripts, cron jobs, or agent configuration files. The package carries 112 other CVEs, signaling a chronic hygiene deficit that raises the probability of chained exploits beyond this single finding. Upgrade to PraisonAI ≥ 1.5.115 immediately; if patching is not possible, restrict network access to the MultiAgentMonitor endpoint and enforce strict filesystem permissions on the user account running PraisonAI.

Is CVE-2026-56078 actively exploited?

No confirmed active exploitation of CVE-2026-56078 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56078?

1. Patch immediately: upgrade PraisonAI to ≥ 1.5.115 (fix confirmed in GitHub advisory GHSA-766v-q9x3-g744). 2. Network isolation: restrict access to the MultiAgentMonitor API endpoint at the network layer — it should not be publicly accessible. 3. Principle of least privilege: run PraisonAI processes under a dedicated low-privilege OS user with filesystem access scoped only to required directories. 4. Detection: audit logs for agent IDs containing '../', '%2e%2e', or encoded traversal sequences. Alert on any file access outside the expected working directory using auditd/eBPF-based tooling. 5. Secret rotation: if deployment was exposed, rotate all API keys, database credentials, and tokens stored in the application's configuration directories. 6. Inventory: scan for other PraisonAI instances across the environment — the package's 112-CVE history warrants a formal review of all versions in use.

What systems are affected by CVE-2026-56078?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, model serving, RAG pipelines, LLM API integrations.

What is the CVSS score for CVE-2026-56078?

CVE-2026-56078 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationmodel servingRAG pipelinesLLM API integrations

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. Attackers can include traversal sequences like ../ in agent IDs to read, write, or overwrite arbitrary files, enabling sensitive disclosure, denial of service, or code execution.

Exploitation Scenario

An attacker registers a low-privilege account on a PraisonAI deployment (or compromises one via credential stuffing). They submit a crafted API request to the MultiAgentMonitor endpoint with an agent ID such as `../../etc/passwd` to enumerate the filesystem, then escalate to `../../home/appuser/.ssh/authorized_keys` to inject their own SSH public key, or target `../../opt/praisonai/.env` to harvest LLM API keys stored in plaintext. With write access, they overwrite an agent's tool script or a Python module loaded at runtime with a reverse shell payload, achieving persistent code execution on the host. From there, they pivot laterally to connected vector databases, model registries, or internal APIs using harvested credentials.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.