CVE-2026-40152

Name of the Vulnerable Software and Affected Versions PraisonAIAgents versions prior to 1.5.128

Description PraisonAIAgents is a multi-agent teams system. The list files() tool in FileTools validates the directory parameter against workspace boundaries using the validate path() function, but passes the pattern parameter directly to Path.glob() without validation. Python's Path.glob() function supports '..' path segments, allowing an attacker to use relative path traversal in the glob pattern to enumerate arbitrary files outside the workspace. This can expose file metadata, including existence, name, size, and timestamps, for any path on the filesystem.

Recommendations Update to version 1.5.128 or later.