GHSA-JFXC-V5G9-38XR
Vulnerability from github – Published: 2026-04-06 23:09 – Updated: 2026-04-07 22:10The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host.
Details
Location: src/praisonai/praisonai/cli/features/action_orchestrator.py (Lines 402, 409, 423)
Vulnerable Code snippet:
target = workspace / step.target
In the _apply_step method, paths are constructed by concatenating the workspace path with a user-supplied step.target string: target = workspace / step.target. The code fails to resolve and validate that the final absolute path remains within the bounds of the workspace directory. When processing FILE_CREATE or FILE_EDIT actions, this flaw permits arbitrary file modification.
PoC
Construct a malicious ActionStep payload with path traversal characters:
from praisonai.cli.features.action_orchestrator import ActionStep, ActionType, ActionStatus
# Payload targeting a file outside the workspace
step = ActionStep(
id="test_traversal",
action_type=ActionType.FILE_CREATE,
description="Malicious file write",
target="../../../../../../../tmp/orchestrator_pwned.txt",
params={"content": "pwned"},
status=ActionStatus.APPROVED
)
# When the orchestrator applies this step, it writes to the traversed path
# _apply_step(step)
Impact
This is an Arbitrary File Write vulnerability. Anyone running the Action Orchestrator to apply modifications is vulnerable. A malicious prompt could trick the agent into generating a plan that overwrites critical files (e.g., ~/.ssh/authorized_keys, .bashrc) leading to Remote Code Execution (RCE) or system corruption.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.112"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.113"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39305"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T23:09:03Z",
"nvd_published_at": "2026-04-07T17:16:36Z",
"severity": "CRITICAL"
},
"details": "The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (`../`) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host.\n\n### Details\nLocation: `src/praisonai/praisonai/cli/features/action_orchestrator.py` (Lines 402, 409, 423)\n\nVulnerable Code snippet:\n```python\ntarget = workspace / step.target\n```\n\nIn the `_apply_step` method, paths are constructed by concatenating the `workspace` path with a user-supplied `step.target` string: `target = workspace / step.target`. The code fails to resolve and validate that the final absolute path remains within the bounds of the `workspace` directory. When processing `FILE_CREATE` or `FILE_EDIT` actions, this flaw permits arbitrary file modification.\n\n### PoC\nConstruct a malicious `ActionStep` payload with path traversal characters:\n\n```python\nfrom praisonai.cli.features.action_orchestrator import ActionStep, ActionType, ActionStatus\n\n# Payload targeting a file outside the workspace\nstep = ActionStep(\n id=\"test_traversal\",\n action_type=ActionType.FILE_CREATE,\n description=\"Malicious file write\",\n target=\"../../../../../../../tmp/orchestrator_pwned.txt\",\n params={\"content\": \"pwned\"},\n status=ActionStatus.APPROVED\n)\n\n# When the orchestrator applies this step, it writes to the traversed path\n# _apply_step(step)\n```\n\n### Impact\nThis is an Arbitrary File Write vulnerability. Anyone running the Action Orchestrator to apply modifications is vulnerable. A malicious prompt could trick the agent into generating a plan that overwrites critical files (e.g., `~/.ssh/authorized_keys`, `.bashrc`) leading to Remote Code Execution (RCE) or system corruption.",
"id": "GHSA-jfxc-v5g9-38xr",
"modified": "2026-04-07T22:10:01Z",
"published": "2026-04-06T23:09:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jfxc-v5g9-38xr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39305"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.