CVE-2026-39306
Published: 07 April 2026
Summary
CVE-2026-39306 is a high-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of archive member paths prior to extraction to directly block path traversal and arbitrary file writes outside the intended directory.
Mandates timely flaw remediation by applying the patch in PraisonAI version 1.5.113 that fixes the unsafe tar.extractall() usage.
Restricts and approves user-installed software, mitigating pulls of malicious recipe bundles from the registry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in tar extraction without path validation allows malicious publishers to upload crafted .praison bundles that perform arbitrary file writes on client pull, directly enabling compromise of the software supply chain.
NVD Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains…
more
../ traversal entries and any user who later pulls that recipe will write files outside the output directory they selected. This is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. This vulnerability is fixed in 1.5.113.
Deeper analysisAI
CVE-2026-39306 is a path traversal vulnerability leading to arbitrary file writes in PraisonAI, a multi-agent teams system, affecting versions prior to 1.5.113. The flaw exists in the recipe registry pull flow, where attacker-controlled .praison tar archives are extracted using tar.extractall() without validating archive member paths before extraction. This impacts both local registry pulls and HTTP registry pulls, as checksum verification fails to prevent exploitation since the malicious traversal payload is included in the signed bundle itself. The issue is classified under CWE-22 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H).
A malicious publisher with low privileges can upload a recipe bundle containing directory traversal entries such as ../. Any user who subsequently pulls the recipe will have files written outside their selected output directory, enabling arbitrary file writes on the client side. Exploitation requires network access and user interaction to initiate the pull, but once triggered, it results in high integrity and availability impacts without affecting confidentiality.
The vulnerability is addressed in PraisonAI version 1.5.113. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4rx4-4r3x-6534.
Details
- CWE(s)