{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39308", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.265Z", "datePublished": "2026-04-07T16:48:42.322Z", "dateUpdated": "2026-04-07T16:48:42.322Z"}, "containers": {"cna": {"title": "PraisonAI recipe registry publish path traversal allows out-of-root file write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.113", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:48:42.322Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113."}], "source": {"advisory": "GHSA-r9x3-wx45-2v7f", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113."}], "id": "CVE-2026-39308", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:36.770", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r9x3-wx45-2v7f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.113)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-07T23:18:02.552513+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAI to version 1.5.113 or later.", "Disable or restrict public access to the recipe registry publish endpoint if possible.", "Ensure that authentication tokens used for publish access are issued only to trusted users and that token usage is logged.", "Add a pre\u2011write validation step to check for directory traversal in the manifest before creating any files.", "Configure the registry root directory with appropriate permissions so that write operations cannot affect files outside the intended area."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MervinPraison\u2019s PraisonAI product in all releases prior to version 1.5.113. Any installation that exposes the recipe registry publish flow, whether publicly accessible or protected by a token, is susceptible. If the registry runs without authentication, any network client can trigger the flaw; if authentication is enabled, any user with publish permissions can exploit it.", "description_and_impact": "PraisonAI\u2019s recipe registry publish endpoint processes a bundle\u2019s internal manifest.json and creates files based on the path derived from that manifest before the server verifies that the manifest name and version match the HTTP route. A malicious publisher can embed directory traversal sequences, such as \\'../\\', in the manifest so the registry attempts to write files outside its configured root directory. Even though the request ultimately generates a 400 response, the write operation occurs. This results in an arbitrary file write that can overwrite critical system files or place malicious content on the server, potentially leading to privilege escalation or code execution.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate to high severity, and although EPSS data is unavailable, the path\u2011traversal nature and network trigger suggest a relatively high likelihood of exploitation, especially on services that are openly exposed. Because the vulnerability is not listed in the CISA KEV catalog, there is no confirmed exploitation in the wild, but the threat remains significant for exposed deployments."}}}}, "created": "2026-04-08T19:36:38.284754+00:00", "updated": "2026-04-08T19:47:41.511531+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}