{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/praisonai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*","cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*"],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-44339"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003c= 4.6.36)","praisonaiagents (\u003c= 1.6.36)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","ai-agent"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s \u003ccode\u003epraisonaiagents\u003c/code\u003e library exhibits an unsafe tool resolution vulnerability. Specifically, when resolving tool names, the system searches module globals and the \u003ccode\u003e__main__\u003c/code\u003e scope \u003cem\u003eafter\u003c/em\u003e failing to find a match in the declared tool list or the tool registry. Crucially, the default agent configuration sets \u003ccode\u003e_perm_allow\u003c/code\u003e to \u003ccode\u003eNone\u003c/code\u003e, meaning that the permission gate does not enforce a strict allowlist of declared tools. This allows an attacker who can control or influence the tool-call names to invoke unintended application callables, bypassing the intended security boundary of declared tools. The vulnerability was verified on commit \u003ccode\u003ed8a8a786915dc67a7c3021e24f72458f2eac5d9c\u003c/code\u003e (v4.6.35).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application callable that is accessible via \u003ccode\u003e__main__\u003c/code\u003e or globals.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input to the PraisonAI agent that specifies the name of the target callable as the \u0026ldquo;tool\u0026rdquo; to execute.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eToolExecutionMixin.execute_tool\u003c/code\u003e function is called with the attacker-controlled tool name.\u003c/li\u003e\n\u003cli\u003eThe agent first searches for the tool in its declared \u003ccode\u003eself.tools\u003c/code\u003e list. This search fails because the tool is undeclared.\u003c/li\u003e\n\u003cli\u003eThe agent then attempts to retrieve the tool from the tool registry. This also fails.\u003c/li\u003e\n\u003cli\u003eThe agent falls back to searching for the tool name in \u003ccode\u003eglobals()\u003c/code\u003e and \u003ccode\u003e__main__\u003c/code\u003e. The attacker-specified callable is found in \u003ccode\u003e__main__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe agent executes the callable directly, passing arguments as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the PraisonAI application, potentially leading to unauthorized state changes, data exposure, or command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. In deployments where untrusted parties can influence tool-call names, attackers can execute undeclared application callables, bypassing intended security boundaries. Operators who rely on the declared tool list as a security control are vulnerable, as this control can be circumvented. If the application keeps privileged helper functions in process scope, the attacker can reuse those helpers with the application\u0026rsquo;s own privileges, potentially leading to unauthorized state changes, data exposure, or command execution. Affected packages include \u003ccode\u003epip/praisonaiagents\u003c/code\u003e (vulnerable: \u0026lt;= 1.6.36) and \u003ccode\u003epip/PraisonAI\u003c/code\u003e (vulnerable: \u0026lt;= 4.6.36).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003epraisonaiagents\u003c/code\u003e and \u003ccode\u003ePraisonAI\u003c/code\u003e that addresses the unsafe tool resolution (CVE-2026-44339).\u003c/li\u003e\n\u003cli\u003eConfigure the PraisonAI agent to use an explicit allowlist (\u003ccode\u003e_perm_allow\u003c/code\u003e) of permitted tools to prevent the execution of undeclared callables. Refer to the PraisonAI documentation for instructions on setting up the \u003ccode\u003e_perm_allow\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on tool-call names to prevent attackers from injecting arbitrary callable names.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to execute undeclared functions through \u003ccode\u003eToolExecutionMixin\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:01:58Z","date_published":"2026-05-11T14:01:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-tool-execution/","summary":"PraisonAI resolves tool names against module globals and `__main__` after failing to match declared tools, allowing an attacker who can influence tool-call names to invoke unintended application callables, leading to potential unauthorized state changes and command execution.","title":"PraisonAI Unsafe Tool Resolution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-tool-execution/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-44340"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI"],"_cs_severities":["high"],"_cs_tags":["symlink","arbitrary file write","path traversal","attack.persistence","attack.privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI versions 2.7.2 through 4.6.35 are susceptible to a symlink extraction bypass vulnerability. The vulnerability exists within the \u003ccode\u003e_safe_extractall\u003c/code\u003e helper function, which is used by \u003ccode\u003erecipe pull\u003c/code\u003e, \u003ccode\u003erecipe publish\u003c/code\u003e, and \u003ccode\u003erecipe unpack\u003c/code\u003e functionalities. The core issue lies in the lack of validation for \u003ccode\u003emember.linkname\u003c/code\u003e and the failure to reject symlink members during archive extraction. This allows a malicious actor to craft a \u003ccode\u003e.praison\u003c/code\u003e bundle containing a symlink that points outside the intended destination directory, leading to arbitrary file writes. This vulnerability re-opens attack vectors that previous patches (GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv) aimed to mitigate.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.praison\u003c/code\u003e bundle containing a symlink member.\u003c/li\u003e\n\u003cli\u003eThe symlink\u0026rsquo;s \u003ccode\u003ename\u003c/code\u003e is within the intended destination directory.\u003c/li\u003e\n\u003cli\u003eThe symlink\u0026rsquo;s \u003ccode\u003elinkname\u003c/code\u003e points to a location outside the destination directory (e.g., \u003ccode\u003e/tmp/PWNED\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious bundle also includes a regular file member.\u003c/li\u003e\n\u003cli\u003eThe regular file\u0026rsquo;s path traverses through the previously created symlink (e.g., \u003ccode\u003elegit/escape/owned.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user or server processes the malicious \u003ccode\u003e.praison\u003c/code\u003e bundle using \u003ccode\u003epraisonai recipe unpack\u003c/code\u003e, \u003ccode\u003epraisonai recipe pull\u003c/code\u003e, or a registry archive validation process.\u003c/li\u003e\n\u003cli\u003eDuring extraction, the symlink is created first, pointing to the attacker-controlled location.\u003c/li\u003e\n\u003cli\u003eWhen the regular file is extracted, it follows the symlink, resulting in an arbitrary file write to the attacker\u0026rsquo;s chosen location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to write arbitrary files with attacker-controlled content to any location on the filesystem accessible to the PraisonAI process. This can lead to various outcomes, including: overwriting user configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e, SSH \u003ccode\u003eauthorized_keys\u003c/code\u003e, cron entries), modifying project files, or, if the process runs as root, compromising the entire system. This vulnerability impacts all hosts processing malicious \u003ccode\u003e.praison\u003c/code\u003e bundles through affected \u003ccode\u003epraisonai\u003c/code\u003e versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of PraisonAI that includes the \u003ccode\u003efilter=\u0026quot;data\u0026quot;\u003c/code\u003e argument in the \u003ccode\u003etar.extractall\u003c/code\u003e call to prevent symlink extraction bypass (\u003ccode\u003erecipe/registry.py:178\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFor older Python versions, implement an explicit check for symlinks and hardlinks during archive extraction, validating that the link target remains within the intended destination directory as described in the suggested remediation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Symlink Extraction Bypass\u0026rdquo; to identify potential exploitation attempts by monitoring for archive extractions containing suspicious symlinks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:01:45Z","date_published":"2026-05-11T14:01:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-symlink-bypass/","summary":"PraisonAI versions 2.7.2 through 4.6.35 are vulnerable to an arbitrary file write due to improper validation of symlinks during archive extraction, affecting `recipe pull`, `recipe publish`, and `recipe unpack` flows.","title":"PraisonAI Symlink Extraction Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-symlink-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MCP (Model Context Protocol) server"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","code-execution","prompt-injection","mcp"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s MCP (Model Context Protocol) server registers four file-handling tools by default: \u003ccode\u003epraisonai.rules.create\u003c/code\u003e, \u003ccode\u003epraisonai.rules.show\u003c/code\u003e, \u003ccode\u003epraisonai.rules.delete\u003c/code\u003e, and \u003ccode\u003epraisonai.workflow.show\u003c/code\u003e. Each accepts a path or filename string from MCP \u003ccode\u003etools/call\u003c/code\u003e arguments and joins it onto \u003ccode\u003e~/.praison/rules/\u003c/code\u003e (or accepts an absolute path for \u003ccode\u003eworkflow.show\u003c/code\u003e) without proper validation. The JSON-RPC dispatcher passes \u003ccode\u003eparams[\u0026quot;arguments\u0026quot;]\u003c/code\u003e without validating against the advertised input schema. This allows an attacker to write arbitrary files by escaping the rules directory, leading to arbitrary code execution via Python \u003ccode\u003e.pth\u003c/code\u003e injection into the user site-packages directory. The vulnerability can be exploited via LLMs with poisoned context, unauthenticated HTTP-stream transports, or prompt injection. No operator misconfiguration is required to trigger the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker poisons the context of an LLM connected to a PraisonAI MCP server through attacker-controlled web content, documents, or emails.\u003c/li\u003e\n\u003cli\u003eThe user interacts with the LLM, asking it to summarize or analyze the poisoned content, which contains a crafted command.\u003c/li\u003e\n\u003cli\u003eThe LLM, under prompt injection, crafts a \u003ccode\u003etools/call\u003c/code\u003e request to the MCP server, targeting \u003ccode\u003epraisonai.rules.create\u003c/code\u003e with a malicious \u003ccode\u003erule_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003erule_name\u003c/code\u003e includes path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) to write a file outside the intended rules directory.\u003c/li\u003e\n\u003cli\u003eThe MCP server\u0026rsquo;s \u003ccode\u003erules.create\u003c/code\u003e handler, lacking containment checks, writes the file to a location such as the user\u0026rsquo;s site-packages directory (e.g., \u003ccode\u003e~/.local/lib/python3.14/site-packages/evil.pth\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe written file is a Python \u003ccode\u003e.pth\u003c/code\u003e file containing an \u003ccode\u003eimport os; os.system(\u0026quot;malicious_command\u0026quot;)\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe next time the user starts a Python interpreter (including the \u003ccode\u003epraisonai\u003c/code\u003e CLI), the \u003ccode\u003e.pth\u003c/code\u003e file is processed, executing the attacker\u0026rsquo;s arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with the user\u0026rsquo;s privileges, potentially leading to data exfiltration, system compromise, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to achieve arbitrary code execution on the victim\u0026rsquo;s machine. This can lead to data exfiltration, installation of malware, or further compromise of the system. The vulnerability affects any user running a PraisonAI MCP server connected to an LLM without proper input validation, and the default configuration of the HTTP-stream transport exposes the server to local attacks without requiring authentication. The impact is significant as it can compromise the user\u0026rsquo;s entire system and any data accessible to the user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and containment to all file-handling tools. Specifically, implement checks to prevent path traversal in \u003ccode\u003epraisonai.rules.create\u003c/code\u003e, \u003ccode\u003epraisonai.rules.show\u003c/code\u003e, and \u003ccode\u003epraisonai.rules.delete\u003c/code\u003e as detailed in the \u0026ldquo;Suggested fix\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eEnforce schema validation in the MCP dispatcher to ensure that \u003ccode\u003eparams[\u0026quot;arguments\u0026quot;]\u003c/code\u003e conforms to the expected schema, rejecting unknown properties and type mismatches.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eworkflow.show\u003c/code\u003e tool to only accept paths within a designated workflow directory and reject absolute paths or any value containing \u003ccode\u003e..\u003c/code\u003e, as outlined in the \u0026ldquo;Suggested fix\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eRequire authentication on non-loopback HTTP-stream binds to prevent unauthorized access to the MCP server when using \u003ccode\u003epraisonai mcp serve --transport http-stream\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T13:59:36Z","date_published":"2026-05-11T13:59:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-mcp-pth-rce/","summary":"PraisonAI's MCP server is vulnerable to path traversal leading to arbitrary code execution by writing a Python `.pth` file into the user's site-packages directory, triggered via poisoned LLM contexts or unauthenticated HTTP-stream transports due to unvalidated kwargs in the dispatcher and lack of containment checks in file-handling tools.","title":"PraisonAI MCP Path Traversal to RCE via .pth Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-mcp-pth-rce/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-44338"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003e= 2.5.6, \u003c= 4.6.33)"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","API","CVE-2026-44338"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI includes a legacy Flask API server (\u003ccode\u003esrc/praisonai/api_server.py\u003c/code\u003e) that, by default, ships with authentication disabled. This is due to hardcoded values \u003ccode\u003eAUTH_ENABLED = False\u003c/code\u003e and \u003ccode\u003eAUTH_TOKEN = None\u003c/code\u003e, causing the \u003ccode\u003echeck_auth()\u003c/code\u003e function to always return \u003ccode\u003eTrue\u003c/code\u003e and effectively bypass authentication checks on \u003ccode\u003e/agents\u003c/code\u003e and \u003ccode\u003e/chat\u003c/code\u003e endpoints. The affected versions range from v2.5.6 to 4.6.33, which is the current PyPI release as of May 1, 2026. The \u003ccode\u003eserve agents\u003c/code\u003e command is not affected, but the older \u003ccode\u003eapi_server.py\u003c/code\u003e binds to 0.0.0.0:8080 by default, and the generated sample API deployment YAML recommends \u003ccode\u003ehost: 0.0.0.0\u003c/code\u003e together with \u003ccode\u003eauth_enabled: false\u003c/code\u003e, further exacerbating the issue. This vulnerability, identified as CVE-2026-44338, allows unauthenticated access to sensitive functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eTarget identifies a PraisonAI instance running the vulnerable legacy API server.\u003c/li\u003e\n\u003cli\u003eTarget sends a GET request to \u003ccode\u003e/agents\u003c/code\u003e endpoint to enumerate available agents.\u003c/li\u003e\n\u003cli\u003eThe API server, due to disabled authentication, grants access to the \u003ccode\u003e/agents\u003c/code\u003e endpoint without requiring any authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe server responds with agent metadata, revealing the configured \u003ccode\u003eagents.yaml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eTarget crafts a POST request to the \u003ccode\u003e/chat\u003c/code\u003e endpoint, including a \u003ccode\u003emessage\u003c/code\u003e key in the JSON payload.\u003c/li\u003e\n\u003cli\u003eThe API server processes the request, bypassing authentication, and executes the workflow defined in \u003ccode\u003eagents.yaml\u003c/code\u003e by calling \u003ccode\u003ePraisonAI(agent_file=\u0026quot;agents.yaml\u0026quot;).run()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe API server returns the result of the \u003ccode\u003ePraisonAI.run()\u003c/code\u003e call to the unauthenticated attacker.\u003c/li\u003e\n\u003cli\u003eDepending on the configuration specified in agents.yaml, this can result in data exfiltration, code execution, or denial of service via resource exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any attacker with network access to the vulnerable PraisonAI instance to enumerate configured agents, trigger workflows defined in \u003ccode\u003eagents.yaml\u003c/code\u003e, consume model/API quota, and potentially expose sensitive information. The impact is determined by the capabilities defined in the \u003ccode\u003eagents.yaml\u003c/code\u003e file, but the authentication bypass itself is unconditional in the shipped legacy server. This vulnerability affects PraisonAI versions 2.5.6 through 4.6.33.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Access to PraisonAI Agents Endpoint\u0026rdquo; to detect unauthenticated access attempts to the \u003ccode\u003e/agents\u003c/code\u003e endpoint within your web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Chat Request to PraisonAI API Server\u0026rdquo; to identify unauthorized requests being made to the \u003ccode\u003e/chat\u003c/code\u003e endpoint to trigger workflow executions.\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version that addresses CVE-2026-44338 or migrate to the newer \u003ccode\u003eserve agents\u003c/code\u003e command which defaults to binding on localhost and supports API keys.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure the legacy API server\u0026rsquo;s \u003ccode\u003eAUTH_ENABLED\u003c/code\u003e setting is set to \u003ccode\u003eTrue\u003c/code\u003e and configure a strong \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e to mitigate the unauthenticated access vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the legacy API server to minimize the attack surface and prevent unauthorized external access to the vulnerable endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T13:57:56Z","date_published":"2026-05-11T13:57:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-auth-bypass/","summary":"PraisonAI ships a legacy Flask API server with authentication disabled by default, allowing any reachable caller to access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without providing a token (CVE-2026-44338).","title":"PraisonAI Legacy API Server Authentication Bypass (CVE-2026-44338)","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — PraisonAI","version":"https://jsonfeed.org/version/1.1"}