CVE-2026-39306

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.113

Description PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives using tar.extractall() without validating archive member paths before extraction. A malicious publisher can upload a recipe bundle containing ../ traversal entries, allowing them to write files outside the intended output directory for any user who pulls that recipe. This affects both local and HTTP registry pull paths. The checksum verification does not prevent exploitation as the malicious payload is part of the signed bundle. The issue stems from the unsafe extraction of tar archive contents during recipe pull. A malicious publisher creates a .praison bundle with traversal entries like ../../escape-http.txt. The LocalRegistry.publish() function only reads manifest.json and stores the bundle without sanitizing the tar members. When a victim pulls the recipe, LocalRegistry.pull() or HttpRegistry.pull() extracts the tarball using tar.extractall(), allowing traversal entries to escape the intended directory and create files elsewhere on disk.

Recommendations Update to version 1.5.113 or later to resolve this issue.