CVE-2026-40148

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI is a multi-agent teams system. The safe extractall() function in the recipe registry validates archive members against path traversal attacks but does not check individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull().

Recommendations Update to version 4.5.128 or later.