CVE-2026-40117
Published: 09 April 2026
Summary
CVE-2026-40117 is a medium-severity Missing Authorization (CWE-862) vulnerability in Praison Praisonaiagents. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to filesystem resources, directly preventing arbitrary file reads via the unrestricted skill_path parameter in read_skill_file().
Validates information inputs such as the skill_path parameter to ensure only authorized paths within workspace boundaries are permitted, blocking exploitation through prompt injection.
Applies least privilege to agent processes, limiting filesystem access scope and reducing the impact of unauthorized file reads even if authorization checks are bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary file reads from the local filesystem via an unrestricted path parameter, directly facilitating collection of sensitive data from the local system as in T1005.
NVD Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file…
more
has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
Deeper analysisAI
CVE-2026-40117 affects PraisonAIAgents, a multi-agent teams system, in versions prior to 1.5.128. The vulnerability resides in the read_skill_file() function within skill_tools.py, which accepts an unrestricted skill_path parameter. This allows arbitrary file reads from the filesystem, bypassing protections present in related functions like file_tools.read_file (which enforces workspace boundaries) and run_skill_script (which requires critical-level approval). The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
An attacker with local access can exploit this vulnerability without privileges or user interaction by using prompt injection to influence an agent into calling read_skill_file() with a malicious skill_path. This enables exfiltration of sensitive files from the filesystem without triggering any approval prompts, unlike safer counterparts in the system.
The vulnerability is fixed in version 1.5.128 of PraisonAIAgents. Additional details are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection