{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.privilege_escalation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-44340"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI"],"_cs_severities":["high"],"_cs_tags":["symlink","arbitrary file write","path traversal","attack.persistence","attack.privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI versions 2.7.2 through 4.6.35 are susceptible to a symlink extraction bypass vulnerability. The vulnerability exists within the \u003ccode\u003e_safe_extractall\u003c/code\u003e helper function, which is used by \u003ccode\u003erecipe pull\u003c/code\u003e, \u003ccode\u003erecipe publish\u003c/code\u003e, and \u003ccode\u003erecipe unpack\u003c/code\u003e functionalities. The core issue lies in the lack of validation for \u003ccode\u003emember.linkname\u003c/code\u003e and the failure to reject symlink members during archive extraction. This allows a malicious actor to craft a \u003ccode\u003e.praison\u003c/code\u003e bundle containing a symlink that points outside the intended destination directory, leading to arbitrary file writes. This vulnerability re-opens attack vectors that previous patches (GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv) aimed to mitigate.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.praison\u003c/code\u003e bundle containing a symlink member.\u003c/li\u003e\n\u003cli\u003eThe symlink\u0026rsquo;s \u003ccode\u003ename\u003c/code\u003e is within the intended destination directory.\u003c/li\u003e\n\u003cli\u003eThe symlink\u0026rsquo;s \u003ccode\u003elinkname\u003c/code\u003e points to a location outside the destination directory (e.g., \u003ccode\u003e/tmp/PWNED\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious bundle also includes a regular file member.\u003c/li\u003e\n\u003cli\u003eThe regular file\u0026rsquo;s path traverses through the previously created symlink (e.g., \u003ccode\u003elegit/escape/owned.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user or server processes the malicious \u003ccode\u003e.praison\u003c/code\u003e bundle using \u003ccode\u003epraisonai recipe unpack\u003c/code\u003e, \u003ccode\u003epraisonai recipe pull\u003c/code\u003e, or a registry archive validation process.\u003c/li\u003e\n\u003cli\u003eDuring extraction, the symlink is created first, pointing to the attacker-controlled location.\u003c/li\u003e\n\u003cli\u003eWhen the regular file is extracted, it follows the symlink, resulting in an arbitrary file write to the attacker\u0026rsquo;s chosen location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to write arbitrary files with attacker-controlled content to any location on the filesystem accessible to the PraisonAI process. This can lead to various outcomes, including: overwriting user configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e, SSH \u003ccode\u003eauthorized_keys\u003c/code\u003e, cron entries), modifying project files, or, if the process runs as root, compromising the entire system. This vulnerability impacts all hosts processing malicious \u003ccode\u003e.praison\u003c/code\u003e bundles through affected \u003ccode\u003epraisonai\u003c/code\u003e versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of PraisonAI that includes the \u003ccode\u003efilter=\u0026quot;data\u0026quot;\u003c/code\u003e argument in the \u003ccode\u003etar.extractall\u003c/code\u003e call to prevent symlink extraction bypass (\u003ccode\u003erecipe/registry.py:178\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFor older Python versions, implement an explicit check for symlinks and hardlinks during archive extraction, validating that the link target remains within the intended destination directory as described in the suggested remediation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Symlink Extraction Bypass\u0026rdquo; to identify potential exploitation attempts by monitoring for archive extractions containing suspicious symlinks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:01:45Z","date_published":"2026-05-11T14:01:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-symlink-bypass/","summary":"PraisonAI versions 2.7.2 through 4.6.35 are vulnerable to an arbitrary file write due to improper validation of symlinks during archive extraction, affecting `recipe pull`, `recipe publish`, and `recipe unpack` flows.","title":"PraisonAI Symlink Extraction Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-symlink-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.privilege_escalation","version":"https://jsonfeed.org/version/1.1"}