CVE-2026-35615

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.113

Description PraisonAI is susceptible to a path traversal issue due to a flaw in the validate path() function. This function first calls os.path.normpath(), which collapses '..' sequences, and then checks for the presence of '..' in the normalized path. Because the '..' sequences are collapsed before the check, the check is ineffective, allowing an attacker to traverse to any file on the system. The vulnerability also exists because the path validation function does not resolve symbolic links, which could potentially cause path traversal. The vulnerable file is src/praisonai-agents/praisonaiagents/tools/file tools.py lines 42-49. This allows access to any file on the system, potentially including sensitive files like /etc/passwd and /etc/shadow.

Recommendations Update PraisonAI to version 1.5.113 or later.