PraisonAI Arbitrary File Write Vulnerability

PraisonAI versions up to 4.6.37 are susceptible to an arbitrary file write vulnerability (CVE-2026-47397) within its Python API. This flaw stems from the write_file function’s lack of path validation when the workspace parameter is set to None, a default configuration in production environments. An attacker can exploit this by hosting a webpage containing hidden metadata that specifies an arbitrary file path and content. When a victim’s PraisonAI agent crawls and analyzes this webpage, it autonomously calls the write_file function, writing the attacker-controlled content to the specified path on the victim’s system. This vulnerability allows attackers to bypass injection defenses and LLM safety measures, as the agent performs normal operations triggered by the malicious metadata.

Attack Chain

1. The attacker crafts a malicious webpage containing hidden metadata within a <span> element, defining the output_file and output_content parameters.
2. A victim uses the PraisonAI Python API to initiate a web crawling task, targeting the attacker’s malicious webpage using the web_crawl tool.
3. The PraisonAI agent crawls the attacker-controlled webpage using the web_crawl tool, extracting the hidden metadata.
4. The agent parses the extracted metadata and identifies the output_file parameter, which specifies the arbitrary file path.
5. The agent, as part of its normal operation, autonomously calls the write_file function to write the extracted content to a file.
6. Because workspace is None, path validation is skipped in code/tools/write_file.py:77-83.
7. The write_file function writes the content defined by the output_content parameter to the file path specified by output_file on the victim’s system.
8. The attacker achieves arbitrary file write on the victim’s system, potentially leading to code execution or data exfiltration.

Impact

Successful exploitation allows an attacker to write arbitrary files to the victim’s system. This can lead to various malicious outcomes, including overwriting critical system files, injecting malicious code, or exfiltrating sensitive information. The vulnerability affects any user of PraisonAI who processes attacker-controlled webpages using the web_crawl tool, potentially impacting a wide range of users and applications that rely on PraisonAI for automated web analysis.

Recommendation

• Upgrade PraisonAI to a version later than 4.6.37 to incorporate the fix for CVE-2026-47397.
• Deploy the Sigma rule “Detect PraisonAI Arbitrary File Write via Web Crawl” to detect exploitation attempts by monitoring for calls to the write_file function with attacker-controlled paths.
• Implement robust input validation and sanitization measures to prevent malicious metadata injection into web pages processed by PraisonAI agents.