{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mcp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MCP (Model Context Protocol) server"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","code-execution","prompt-injection","mcp"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s MCP (Model Context Protocol) server registers four file-handling tools by default: \u003ccode\u003epraisonai.rules.create\u003c/code\u003e, \u003ccode\u003epraisonai.rules.show\u003c/code\u003e, \u003ccode\u003epraisonai.rules.delete\u003c/code\u003e, and \u003ccode\u003epraisonai.workflow.show\u003c/code\u003e. Each accepts a path or filename string from MCP \u003ccode\u003etools/call\u003c/code\u003e arguments and joins it onto \u003ccode\u003e~/.praison/rules/\u003c/code\u003e (or accepts an absolute path for \u003ccode\u003eworkflow.show\u003c/code\u003e) without proper validation. The JSON-RPC dispatcher passes \u003ccode\u003eparams[\u0026quot;arguments\u0026quot;]\u003c/code\u003e without validating against the advertised input schema. This allows an attacker to write arbitrary files by escaping the rules directory, leading to arbitrary code execution via Python \u003ccode\u003e.pth\u003c/code\u003e injection into the user site-packages directory. The vulnerability can be exploited via LLMs with poisoned context, unauthenticated HTTP-stream transports, or prompt injection. No operator misconfiguration is required to trigger the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker poisons the context of an LLM connected to a PraisonAI MCP server through attacker-controlled web content, documents, or emails.\u003c/li\u003e\n\u003cli\u003eThe user interacts with the LLM, asking it to summarize or analyze the poisoned content, which contains a crafted command.\u003c/li\u003e\n\u003cli\u003eThe LLM, under prompt injection, crafts a \u003ccode\u003etools/call\u003c/code\u003e request to the MCP server, targeting \u003ccode\u003epraisonai.rules.create\u003c/code\u003e with a malicious \u003ccode\u003erule_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003erule_name\u003c/code\u003e includes path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) to write a file outside the intended rules directory.\u003c/li\u003e\n\u003cli\u003eThe MCP server\u0026rsquo;s \u003ccode\u003erules.create\u003c/code\u003e handler, lacking containment checks, writes the file to a location such as the user\u0026rsquo;s site-packages directory (e.g., \u003ccode\u003e~/.local/lib/python3.14/site-packages/evil.pth\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe written file is a Python \u003ccode\u003e.pth\u003c/code\u003e file containing an \u003ccode\u003eimport os; os.system(\u0026quot;malicious_command\u0026quot;)\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe next time the user starts a Python interpreter (including the \u003ccode\u003epraisonai\u003c/code\u003e CLI), the \u003ccode\u003e.pth\u003c/code\u003e file is processed, executing the attacker\u0026rsquo;s arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with the user\u0026rsquo;s privileges, potentially leading to data exfiltration, system compromise, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to achieve arbitrary code execution on the victim\u0026rsquo;s machine. This can lead to data exfiltration, installation of malware, or further compromise of the system. The vulnerability affects any user running a PraisonAI MCP server connected to an LLM without proper input validation, and the default configuration of the HTTP-stream transport exposes the server to local attacks without requiring authentication. The impact is significant as it can compromise the user\u0026rsquo;s entire system and any data accessible to the user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and containment to all file-handling tools. Specifically, implement checks to prevent path traversal in \u003ccode\u003epraisonai.rules.create\u003c/code\u003e, \u003ccode\u003epraisonai.rules.show\u003c/code\u003e, and \u003ccode\u003epraisonai.rules.delete\u003c/code\u003e as detailed in the \u0026ldquo;Suggested fix\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eEnforce schema validation in the MCP dispatcher to ensure that \u003ccode\u003eparams[\u0026quot;arguments\u0026quot;]\u003c/code\u003e conforms to the expected schema, rejecting unknown properties and type mismatches.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eworkflow.show\u003c/code\u003e tool to only accept paths within a designated workflow directory and reject absolute paths or any value containing \u003ccode\u003e..\u003c/code\u003e, as outlined in the \u0026ldquo;Suggested fix\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eRequire authentication on non-loopback HTTP-stream binds to prevent unauthorized access to the MCP server when using \u003ccode\u003epraisonai mcp serve --transport http-stream\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T13:59:36Z","date_published":"2026-05-11T13:59:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-mcp-pth-rce/","summary":"PraisonAI's MCP server is vulnerable to path traversal leading to arbitrary code execution by writing a Python `.pth` file into the user's site-packages directory, triggered via poisoned LLM contexts or unauthenticated HTTP-stream transports due to unvalidated kwargs in the dispatcher and lack of containment checks in file-handling tools.","title":"PraisonAI MCP Path Traversal to RCE via .pth Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-mcp-pth-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Mcp","version":"https://jsonfeed.org/version/1.1"}