Praisonai · Praisonai · CVE-2026-35615
Name of the Vulnerable Software and Affected Versions
PraisonAI versions prior to 1.5.113
Description
PraisonAI is susceptible to a path traversal issue due to a flaw in the ` validate path()` function. This function first calls `os.path.normpath()`, which collapses '..' sequences, and then checks for the presence of '..' in the normalized path. Because the '..' sequences are collapsed before the check, the check is ineffective, allowing an attacker to traverse to any file on the system. The vulnerability also exists because the path validation function does not resolve symbolic links, which could potentially cause path traversal. The vulnerable file is `src/praisonai-agents/praisonaiagents/tools/file tools.py` lines 42-49. This allows access to any file on the system, potentially including sensitive files like `/etc/passwd` and `/etc/shadow`.
Recommendations
Update PraisonAI to version 1.5.113 or later.