CVE-2026-44336

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.6.34

Description The Model Context Protocol (MCP) server in PraisonAI contains a path traversal flaw in its file-handling tools. The server registers four tools by default: 'praisonai.rules.create', 'praisonai.rules.show', 'praisonai.rules.delete', and 'praisonai.workflow.show'. These tools accept path or filename strings via the tools/call endpoint and join them to the ~/.praison/rules/ directory (or accept absolute paths in the case of 'praisonai.workflow.show') without performing containment checks. Additionally, the JSON-RPC dispatcher passes params["arguments"] to handlers via **kwargs without validating them against the input schema.

An attacker can use the rule name variable with traversal sequences (e.g., ../../) to read, write, or delete any file the running user has permissions for. This can be escalated to arbitrary code execution by writing a Python .pth file into the user site-packages directory, which is then executed by any subsequent Python process spawned by the user. This issue can be triggered via an MCP-connected LLM through indirect prompt injection (e.g., malicious web content), or via the praisonai mcp serve --transport http-stream endpoint, which defaults to no authentication on loopback.

Recommendations Update to version 4.6.34. As a temporary workaround, restrict access to the loopback interface or ensure the --api-key flag is used when running the MCP server with HTTP-stream transport to prevent unauthenticated access.