PT-2026-57192 · Mervinpraison · Praisonai
Rexpository
·
Publicado
2026-07-10
·
Atualizado
2026-07-10
·
CVE-2026-61432
CVSS v3.1
5.7
Média
| Vetor | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute tool() prepends the configured workspace path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep search, glob search, read file, or list directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.
Exploit
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Praisonai