AI Threat Alert
### Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the `agent_file` field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. ### Details The `agent_file` field in...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | < 4.6.59 | 4.6.59 |
Do you use PraisonAI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update PraisonAI to version 4.6.59
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-p4pj-vh7h-6cqh?
### Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the `agent_file` field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. ### Details The `agent_file` field in `JobSubmitRequest` accepts any filesystem path with no validation: ```python # src/praisonai/praisonai/jobs/models.py:29 agent_file: Optional[str] = Field(None, description="Path to agents.yaml file") # NO path validator, NO allowlist ``` The executor reads the file directly: ```python # src/praisonai/praisonai/jobs/executor.py:221 agent_file = job.agent_file or "agents.yaml" # passed directly to yaml.safe_load(open(agent_file)) ``` ### Proof of Concept ```bash curl -X POST http://:8005/api/v1/runs \ -H "Content-Type: application/json" \ -d '{"prompt": "run", "agent_file": "/etc/passwd"}' ``` Server responds with contents of `/etc/passwd`. Other exploitable paths: - `/proc/1/environ` — environment variables, API keys - `/home//.ssh/id_rsa` — SSH private keys - `/app/.env` — application secrets ### Impact Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
Is GHSA-p4pj-vh7h-6cqh actively exploited?
No confirmed active exploitation of GHSA-p4pj-vh7h-6cqh has been reported, but organizations should still patch proactively.
How to fix GHSA-p4pj-vh7h-6cqh?
Update to patched version: PraisonAI 4.6.59.
What is the CVSS score for GHSA-p4pj-vh7h-6cqh?
GHSA-p4pj-vh7h-6cqh has a CVSS v3.1 base score of 7.5 (HIGH).
What are the technical details?
Original Advisory
### Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the `agent_file` field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. ### Details The `agent_file` field in `JobSubmitRequest` accepts any filesystem path with no validation: ```python # src/praisonai/praisonai/jobs/models.py:29 agent_file: Optional[str] = Field(None, description="Path to agents.yaml file") # NO path validator, NO allowlist ``` The executor reads the file directly: ```python # src/praisonai/praisonai/jobs/executor.py:221 agent_file = job.agent_file or "agents.yaml" # passed directly to yaml.safe_load(open(agent_file)) ``` ### Proof of Concept ```bash curl -X POST http://:8005/api/v1/runs \ -H "Content-Type: application/json" \ -d '{"prompt": "run", "agent_file": "/etc/passwd"}' ``` Server responds with contents of `/etc/passwd`. Other exploitable paths: - `/proc/1/environ` — environment variables, API keys - `/home//.ssh/id_rsa` — SSH private keys - `/app/.env` — application secrets ### Impact Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
GHSA-vmmj-pfw7-fjwp 9.9 Analysis pending
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai CVE-2026-39890 9.8 PraisonAI: YAML deserialization enables unauthenticated RCE
Same package: praisonai