CVE-2026-39308
Published: 07 April 2026
Summary
CVE-2026-39308 is a high-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs from the bundle's manifest.json before deriving filesystem paths, directly preventing path traversal exploitation.
Mandates timely identification, reporting, and correction of the path traversal flaw, such as by applying the fixed PraisonAI version 1.5.113.
Enforces least privilege on the registry server process to restrict unauthorized filesystem writes outside the configured root even if traversal occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed recipe registry publish endpoint allows remote exploitation of public-facing app (T1190) and results in arbitrary file writes of uploaded content to controlled paths, directly facilitating ingress of tools/payloads (T1105).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP…
more
route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113.
Deeper analysisAI
CVE-2026-39308 is a path traversal vulnerability (CWE-22) in PraisonAI, a multi-agent teams system, affecting versions prior to 1.5.113. The flaw exists in the recipe registry publish endpoint, which writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before verifying that the manifest name and version match the HTTP route. This allows a malicious publisher to include directory traversal sequences such as ../ in the manifest, enabling file creation outside the configured registry root on the registry host, even though the request is ultimately rejected with HTTP 400.
The vulnerability impacts deployments that expose the recipe registry publish flow. Attackers require network access to the service; if the registry is run without a token, any client that can reach it can exploit the issue, while configurations with a token limit exploitation to users with publish access. Successful exploitation results in arbitrary file writes on the registry host, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), reflecting high integrity impact and low availability impact.
The vulnerability is fixed in PraisonAI version 1.5.113. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f.
Details
- CWE(s)