CVE-2026-39305
Published: 07 April 2026
Summary
CVE-2026-39305 is a critical-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploitation by validating target file paths to reject relative segments like ../ that escape the workspace directory.
Enforces logical access controls to confine Action Orchestrator file writes strictly to the authorized workspace directory.
Detects unauthorized modifications to sensitive system files overwritten by exploitation of the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file writes outside workspace, directly facilitating dropping executable payloads (T1105) and overwriting sensitive system files for stored data manipulation (T1565.001).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path…
more
segments (../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host. This vulnerability is fixed in 1.5.113.
Deeper analysisAI
CVE-2026-39305 is a Path Traversal vulnerability (CWE-22) in the Action Orchestrator feature of PraisonAI, a multi-agent teams system, affecting versions prior to 1.5.113. Published on 2026-04-07, it enables writing to arbitrary files outside the configured workspace directory by supplying relative path segments such as ../ in the target path. The issue carries a CVSS v3.1 base score of 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).
Local attackers or compromised agents can exploit this vulnerability with low complexity and no privileges or user interaction required. Exploitation allows overwriting sensitive system files or dropping executable payloads on the host, leading to high impacts on integrity and availability due to the changed scope.
The vulnerability is fixed in PraisonAI version 1.5.113. Additional details are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jfxc-v5g9-38xr.
Details
- CWE(s)