PT-2026-45053 · Pypi · Praisonai

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-47394

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcp server/adapters/cli tools.py:
"registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments… with no containment check."
Commit 68cc9427 ("fix(security): harden MCP rules path handling…") added a resolve rule path() helper and applied it to rules.create, rules.show, and rules.delete. workflow.show was left unchanged. Two adjacent handlers in the same file have the same pattern, workflow.validate and deploy.validate. Neither was mentioned in the original advisory. Both remain unchanged.
The original advisory also identified the dispatcher (server.py:281-298) as a root cause. It accepts unvalidated **kwargs from params["arguments"] with no enforcement against the tool's declared input schema. That code is unchanged in HEAD as of commit 42221210.
Result: A single unauthenticated MCP tools/call to praisonai.workflow.show returns the contents of any file the host user can read: /etc/passwd, ~/.ssh/id rsa, ~/.aws/credentials, or any project .env.

Affected functionality

src/praisonai/praisonai/mcp server/adapters/cli tools.py:
LinesToolBug
63-73praisonai.workflow.showReturns the full contents of any file the host user can read
42-61praisonai.workflow.validateReads any path; YAML parser error messages leak file existence + content fragments
415-432praisonai.deploy.validateSame pattern as workflow.validate. The config path="deploy.yaml" default does not constrain the input.
src/praisonai/praisonai/mcp server/server.py:281-298, handle tools call:
async def handle tools call(self, params: Dict[str, Any]) -> Dict[str, Any]:
  tool name = params.get("name")
  arguments = params.get("arguments", {})
  ...
  tool = self. tool registry.get(tool name)
  ...
  if asyncio.iscoroutinefunction(tool.handler):
    result = await tool.handler(**arguments)    # ← no schema enforcement
  else:
    result = tool.handler(**arguments)
Any JSON arguments the MCP client sends become a **kwargs call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.

Default deployment is exposed

src/praisonai/praisonai/mcp server/transports/http stream.py:38-91:
  • host defaults to 127.0.0.1, which is still reachable from any local process or container neighbour on loopback.
  • api key defaults to None. The auth check at http stream.py:192-198 is gated on if self.api key:, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.
  • The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).

Other file-read sinks reachable via the same dispatcher

These were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to cli tools.py:
  • mcp server/adapters/capabilities.py:19-28, praisonai.audio.transcribe(file path). Opens any host file and ships it to OpenAI Whisper.
  • mcp server/adapters/extended capabilities.py:47-62, praisonai.files.create(file path). Uploads any host file to OpenAI Files. A follow-up call to praisonai.files.content(file id) (extended capabilities.py:103-113) returns the bytes.
  • mcp server/adapters/extended capabilities.py:243-258, praisonai.ocr extract(image path). Opens any image, returns OCR text.
The three handlers in cli tools.py are the most direct primitives, since they echo the file content back without an OpenAI round-trip.

Proof of Concept

Layout

PraisonAI/
└── poc/
  ├── start mcp server.sh     ← starts the real MCP server
  ├── run mcp poc video.sh    ← runs the attack with curl
  ├── venv/            
  └── output/
    ├── mcp server run.log
    ├── mcp attacker run.log
    └── synthetic credentials.txt  (PoC-only fake creds)
[start mcp server.sh](https://github.com/user-attachments/files/27569524/start mcp server.sh) [run mcp poc video.sh](https://github.com/user-attachments/files/27569525/run mcp poc video.sh)
The server starter runs the real MCPServer class with register cli tools(), same code path praisonai mcp serve --transport http-stream uses. No mocks.

How to reproduce

Terminal 1, start the server:
cd PraisonAI
bash poc/start mcp server.sh
Boots MCPServer on 127.0.0.1:8766/mcp with no auth, matching the documented default api key=None.
Terminal 2, run the attack:
cd PraisonAI
bash poc/run mcp poc video.sh
Six numbered steps. Each one prints the action, runs one curl, prints the JSON-RPC response.
workflow.validate leaks /etc/hosts:
{ "result": { "content": [{ "type": "text",
 "text": "YAML error: while scanning for the next token
found character 't' that cannot start any token
 in "/etc/hosts", line 7, column 10" }] } }
The parser error message confirms the file exists and includes a fragment of its content.
deploy.validate leaks ~/.ssh/known hosts:
{ "result": { "content": [{ "type": "text",
 "text": "Error: expected '<document start>', but found '<scalar>'
 in "/Users/<victim>/.ssh/known hosts", line 1, column 13" }] } }
workflow.show exfiltrates a credential file:
{ "result": { "content": [{ "type": "text",
 "text": "# AWS-style credentials (SYNTHETIC, for PoC only)
[default]
aws access key id = AKIA-FAKE-EXFIL-KEY-FOR-POC
aws secret access key = synthetic-secret-do-not-actually-exist-12345

# .env-style secrets
DATABASE URL=postgres://app:hunter2@db.internal/prod
SLACK BOT TOKEN=xoxb-FAKE-TOKEN-for-poc-only
OPENAI API KEY=sk-FAKE-FOR-POC
" }] } }
The PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer's real secrets. The same call reads ~/.ssh/id rsa, ~/.aws/credentials, or any project .env if you point it there.
https://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a

Impact

  • Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project .env files, ~/.netrc, ~/.docker/config.json, browser cookie databases, and the system password file.
  • No authentication required. The default is api key=None (http stream.py:91). The auth check at http stream.py:192-198 is wrapped in if self.api key:, so it does not run when no key is configured.
  • No operator misconfiguration required. This is the documented default.
  • The original advisory's exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same tools/call and returning the response. No operator click is needed beyond "summarise this page".
The original advisory was Critical because the write primitive (rules.create) chained to RCE through .pth injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.

Suggested fix

There are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.

1. Enforce tool.input schema in the dispatcher

mcp server/server.py:281-298. The schemas are already built reflectively from each handler's signature in registry.py:320-376. Validate arguments against the registered schema before calling tool.handler(**arguments) and reject anything that does not match. This covers workflow.show, workflow.validate, deploy.validate, audio.transcribe, files.create, ocr extract, and any handler added later.

2. Per-handler containment

This is the same shape as the existing resolve rule path() helper added in commit 68cc9427:
# cli tools.py
def resolve workflow path(file path: str) -> Path:
  """Restrict workflow file path to an allowed root."""
  if not isinstance(file path, str) or not file path:
    raise ValueError("file path must be a non-empty string")
  if "x00" in file path or file path.startswith("~"):
    raise ValueError(f"invalid file path: {file path!r}")
  workflows root = Path(os.path.expanduser("~/.praison/workflows")).resolve()
  workflows root.mkdir(parents=True, exist ok=True)
  candidate = (workflows root / file path).resolve()
  try:
    candidate.relative to(workflows root)
  except ValueError:
    raise ValueError(f"invalid file path: {file path!r}")
  return candidate
Apply the same helper to:
  • workflow show(file path) and workflow validate(file path). Restrict to a workflow root.
  • deploy validate(config path). Restrict to a deploy-config root or an explicit allowlist.
  • The default="deploy.yaml" fallback resolves into the user's current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.

Fix

Path traversal

Missing Authorization

Information Disclosure

Weakness Enumeration

CWE-22CWE-862CWE-200

Related Identifiers

CVE-2026-47394
GHSA-9CR9-25Q5-8PRJ

Affected Products

Praisonai