CVE-2026-35615
Published: 07 April 2026
Summary
CVE-2026-35615 is a high-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of path inputs to prevent path traversal attacks by ensuring malformed paths like those exploiting collapsed '..' sequences are rejected.
Mandates timely identification, reporting, and correction of flaws such as the ineffective _validate_path() function in PraisonAI prior to version 1.5.113.
Enforces access control policies to restrict unauthorized logical access to system files even if path validation is bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vuln in public-facing app enables remote unauth arbitrary file read, directly supporting T1190 (exploit public-facing app), T1005 (data from local system), and T1552.001 (credentials in files).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows…
more
trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113.
Deeper analysisAI
CVE-2026-35615 is a path traversal vulnerability (CWE-22) in PraisonAI, an open-source multi-agent teams system. In versions prior to 1.5.113, the _validate_path() function first normalizes input paths using os.path.normpath(), which collapses sequences of ".." directory traversal characters. It then checks the normalized path for the presence of "..", a check that always passes due to the prior normalization, rendering it ineffective. This flaw enables attackers to traverse to arbitrary files on the affected system. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication or user interaction.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity. By crafting paths that leverage the flawed validation—such as those initially containing ".." sequences that normalize to access sensitive locations—attackers can read any file on the server's filesystem, including configuration files, credentials, or other critical data.
GitHub security advisories (GHSA-693f-pf34-72c5) and the release notes for version 1.5.113 detail the fix, which addresses the validation logic to properly prevent path traversal. Security practitioners should upgrade to PraisonAI 1.5.113 or later, available at the project's GitHub releases.
PraisonAI's role as a multi-agent teams system suggests potential relevance to AI/ML workflows, where exposed file access could leak training data, models, or agent configurations. No public reports of real-world exploitation are available as of the CVE publication on 2026-04-07.
Details
- CWE(s)