Cyber Resilience

CVE-2026-39305

CriticalPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0031 22.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39305 is a critical-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-39305 is a Path Traversal vulnerability (CWE-22) in the Action Orchestrator feature of PraisonAI, a multi-agent teams system, affecting versions prior to 1.5.113. Published on 2026-04-07, it enables writing to arbitrary files outside the configured workspace directory by supplying relative path segments such as ../ in the target path. The issue carries a CVSS v3.1 base score of 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

Local attackers or compromised agents can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows overwriting sensitive system files or dropping executable payloads on the host, leading to high impacts on integrity and availability due to the changed scope.

The vulnerability is fixed in PraisonAI version 1.5.113. Additional details are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jfxc-v5g9-38xr.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path…

more

segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal enables arbitrary file writes outside workspace, directly facilitating dropping executable payloads (T1105) and overwriting sensitive system files for stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39308Same product: Praison Praisonai
CVE-2026-35615Same product: Praison Praisonai
CVE-2026-40157Same product: Praison Praisonai
CVE-2026-39306Same product: Praison Praisonai
CVE-2026-39307Same product: Praison Praisonai
CVE-2026-44340Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-34936Same product: Praison Praisonai
CVE-2026-40113Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.112

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by validating target file paths to reject relative segments like ../ that escape the workspace directory.

prevent

Enforces logical access controls to confine Action Orchestrator file writes strictly to the authorized workspace directory.

detect

Detects unauthorized modifications to sensitive system files overwritten by exploitation of the path traversal vulnerability.

References