AI Threat Alert AI Threat Alert

GHSA-766v-q9x3-g744: praisonaiagents: agent context leak + path traversal

GHSA-766v-q9x3-g744 MEDIUM
Published April 8, 2026
CISO Take

Two vulnerabilities in praisonaiagents (≤1.5.114) allow an authenticated attacker to steal sensitive multi-agent context — including system prompts and full conversation history — by registering an agent with a duplicate ID, and to read or write arbitrary files outside the intended directory via unsanitized path traversal in agent IDs. While not in CISA KEV and EPSS data is unavailable, the CVSS 6.5 vector (AV:N/AC:L/PR:L/UI:N) means any low-privileged user in a multi-tenant PraisonAI deployment can exploit this remotely with no user interaction, making cross-tenant data leakage a realistic threat in shared orchestration environments. Organizations running praisonaiagents in production should patch to 1.5.115 immediately; if patching is not immediate, restrict who can register agent IDs and audit file permissions on the base_path used by MultiAgentMonitor.

Sources: GitHub Advisory ATLAS NVD

Risk Assessment

Medium-severity but operationally significant for multi-tenant or SaaS deployments of PraisonAI. The low attack complexity and low privilege requirement mean exploitation is trivial for any authenticated user. Path traversal introduces a file system exposure risk that, depending on deployment context, could escalate to sensitive credential or config file reads. The confidentiality impact is rated HIGH in the CVSS vector. Absent CISA KEV listing or known public exploits, opportunistic exploitation is the primary threat model, but the PoC provided in the advisory makes weaponization straightforward.

Affected Systems

Package Ecosystem Vulnerable Range Patched
praisonaiagents pip <= 1.5.114 1.5.115

Do you use praisonaiagents? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Patch: upgrade praisonaiagents to ≥1.5.115 immediately.
  2. Verify no agents are currently sharing ledger state by auditing agent ID uniqueness in your configuration.
  3. If patching is delayed, restrict agent ID registration to trusted internal code paths — block user-controlled agent ID inputs.
  4. Apply filesystem-level controls: run MultiAgentMonitor under a dedicated OS user with write access restricted to the intended base_path only.
  5. Scan agent ID inputs for path traversal sequences (../, ..\ ) as a temporary control.
  6. Review logs for agent ID collisions or unexpected file creation outside designated directories as indicators of exploitation.

Classification

Data Leakage Data Extraction Agent Framework AML.T0037 AML.T0049 AML.T0056 AML.T0057

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - Information security in AI system lifecycle
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to sustain alignment with risk response
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

## Summary The `MultiAgentLedger` and `MultiAgentMonitor` components in the provided code exhibit vulnerabilities that can lead to context leakage and arbitrary file operations. Specifically: 1. **Memory State Leakage via Agent ID Collision**: The `MultiAgentLedger` uses a dictionary to store ledgers by agent ID without enforcing uniqueness. This allows agents with the same ID to share ledger instances, leading to potential leakage of sensitive context data. 2. **Path Traversal in MultiAgentMonitor**: The `MultiAgentMonitor` constructs file paths by concatenating the `base_path` and agent ID without sanitization. This allows an attacker to escape the intended directory using path traversal sequences (e.g., `../`), potentially leading to arbitrary file read/write. ## Details ### Vulnerability 1: Memory State Leakage - **File**: `examples/context/12_multi_agent_context.py:68` - **Description**: The `MultiAgentLedger` class uses a dictionary (`self.ledgers`) to store ledger instances keyed by agent ID. The `get_agent_ledger` method creates a new ledger only if the agent ID is not present. If two agents are registered with the same ID, they will share the same ledger instance. This violates the isolation policy and can lead to leakage of sensitive context data (system prompts, conversation history) between agents. - **Exploitability**: An attacker can register an agent with the same ID as a victim agent to gain access to their ledger. This is particularly dangerous in multi-tenant systems where agents may handle sensitive user data. ### Vulnerability 2: Path Traversal - **File**: `examples/context/12_multi_agent_context.py:106` - **Description**: The `MultiAgentMonitor` class constructs file paths for agent monitors by directly concatenating the `base_path` and agent ID. Since the agent ID is not sanitized, an attacker can provide an ID containing path traversal sequences (e.g., `../../malicious`). This can result in files being created or read outside the intended directory (`base_path`). - **Exploitability**: An attacker can create an agent with a malicious ID (e.g., `../../etc/passwd`) to write or read arbitrary files on the system, potentially leading to information disclosure or file corruption. ## PoC ### Memory State Leakage ```python multi_ledger = MultiAgentLedger() # Victim agent (user1) registers and tracks sensitive data victim_ledger = multi_ledger.get_agent_ledger('user1_agent') victim_ledger.track_system_prompt("Sensitive system prompt") victim_ledger.track_history([{"role": "user", "content": "Secret data"}]) # Attacker registers with the same ID attacker_ledger = multi_ledger.get_agent_ledger('user1_agent') # Attacker now has access to victim's ledger print(attacker_ledger.get_ledger().system_prompt) # Outputs: "Sensitive system prompt" print(attacker_ledger.get_ledger().history) # Outputs: [{'role': 'user', 'content': 'Secret data'}] ``` ### Path Traversal ```python with tempfile.TemporaryDirectory() as tmpdir: multi_monitor = MultiAgentMonitor(base_path=tmpdir) # Create agent with malicious ID malicious_id = '../../malicious' monitor = multi_monitor.get_agent_monitor(malicious_id) # The monitor file is created outside the intended base_path # Example: if tmpdir is '/tmp/safe_dir', the actual path might be '/tmp/malicious' print(monitor.path) # Outputs: '/tmp/malicious' (or equivalent) ``` ## Impact - **Memory State Leakage**: This vulnerability can lead to unauthorized access to sensitive agent context, including system prompts and conversation history. In a multi-tenant system, this could result in cross-user data leakage. - **Path Traversal**: An attacker can read or write arbitrary files on the system, potentially leading to information disclosure, denial of service (by overwriting critical files), or remote code execution (if executable files are overwritten). ## Recommended Fix ### For Memory State Leakage - Enforce unique agent IDs at the application level. If the application expects unique IDs, add a check during agent registration to prevent duplicates. - Alternatively, modify the `MultiAgentLedger` to throw an exception if an existing agent ID is reused (unless explicitly allowed). ### For Path Traversal - Sanitize agent IDs before using them in file paths. Replace any non-alphanumeric characters (except safe ones like underscores) or remove path traversal sequences. - Use `os.path.join` and `os.path.realpath` to resolve paths, then check that the resolved path starts with the intended base directory. Example fix for `MultiAgentMonitor`: ```python import os def get_agent_monitor(self, agent_id: str): # Sanitize agent_id to remove path traversal safe_id = os.path.basename(agent_id.replace('../', '').replace('..\\', '')) # Alternatively, use a strict allow-list of characters # Construct path and ensure it's within base_path agent_path = os.path.join(self.base_path, safe_id) real_path = os.path.realpath(agent_path) real_base = os.path.realpath(self.base_path) if not real_path.startswith(real_base): raise ValueError(f"Invalid agent ID: {agent_id}") ... ``` Additionally, consider using a dedicated function for sanitizing filenames.

Exploitation Scenario

An attacker operating in a multi-tenant PraisonAI deployment registers a new agent using the known ID of a victim agent (e.g., obtained by enumerating the system or guessing common naming conventions). The MultiAgentLedger returns the shared ledger instance, granting full read access to the victim's system prompt and conversation history. In a parallel attack, the attacker creates an agent with an ID like '../../.env' or '../../etc/passwd'. The MultiAgentMonitor constructs the file path without sanitization, causing the monitor file to be written to or read from outside the intended directory — potentially exfiltrating API keys, database credentials, or overwriting application configs for further compromise.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-668 Exposure of Resource to Wrong Sphere Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 8, 2026
Last Modified
April 8, 2026
First Seen
April 8, 2026

Related Vulnerabilities

CRITICAL CVE-2026-34938 10.0

praisonaiagents: sandbox bypass enables full host RCE

Same package: praisonaiagents
CRITICAL CVE-2026-39888 10.0

praisonaiagents: sandbox escape enables host RCE

Same package: praisonaiagents
HIGH CVE-2026-34954 8.6

praisonaiagents: SSRF leaks cloud IAM credentials

Same package: praisonaiagents
HIGH CVE-2026-34937 7.8

PraisonAI: OS command injection via run_python() shell escape

Same package: praisonaiagents
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
Back to Threat Feed