CVE-2026-40157
Published: 10 April 2026
Summary
CVE-2026-40157 is a high-severity Path Traversal (CWE-22) vulnerability in Praison Praisonai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs such as tar archive member paths to block directory traversal sequences like ../../ from writing files outside the intended directory.
Mandates timely identification, reporting, and correction of the specific path traversal flaw in PraisonAI's cmd_unpack function by patching to version 4.5.128 or later.
Ensures receipt, dissemination, and implementation of security advisories such as GHSA-99g3-w8gr-x37c to enable patching and mitigate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal in the tar extraction allows arbitrary file write when a user is tricked into running the vulnerable 'praisonai recipe unpack' command on a malicious .praison bundle, directly mapping to client-side exploitation (T1203) via a malicious file (T1204.002).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory.…
more
An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.
Deeper analysisAI
CVE-2026-40157 is a path traversal vulnerability (CWE-22) affecting PraisonAI, a multi-agent teams system, in versions prior to 4.5.128. The issue resides in the cmd_unpack function of the recipe CLI, which extracts .praison tar archives using raw tar.extract() without validating archive member paths. This allows specially crafted bundles containing directory traversal sequences like ../../ to write files outside the intended output directory.
An attacker can exploit this vulnerability by distributing a malicious .praison bundle over the network. A victim with no special privileges who is socially engineered into executing the "praisonai recipe unpack" command on the bundle will enable the attacker to overwrite arbitrary files on the victim's filesystem. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high impact potential with low complexity, requiring only user interaction.
The GitHub Security Advisory (GHSA-99g3-w8gr-x37c) confirms the vulnerability is fixed in PraisonAI version 4.5.128, recommending users upgrade to this or later versions for mitigation.
PraisonAI's focus on multi-agent teams suggests relevance to AI/ML workflows, where recipe bundles may be shared in collaborative environments, though no real-world exploitation has been reported.
Details
- CWE(s)