PT-2026-53137 · Pypi · Praisonai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
PraisonAI Code agent tools fail open without a workspace boundary
Summary
PraisonAI Code's agent-compatible
CODE TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE TOOLS, code read file, code search replace, or code apply diff before calling set workspace(), the wrappers pass workspace=None into lower-level helpers that only enforce path containment when a workspace is truthy. Absolute paths outside the intended project workspace are then read and modified.The official examples correctly call
set workspace() before CODE TOOLS, and this report does not claim configured workspaces are ineffective. The issue is the fail-open default. PraisonAI's security documentation describes workspace boundaries as the path-traversal protection mechanism, and the already-published Python API arbitrary file write advisory (GHSA-hvhp-v2gc-268q) was fixed by defaulting an unset workspace to os.getcwd(). The adjacent read and edit paths reached through CODE TOOLS still fail open.Affected Components
- Package:
praisonai - Current upstream main tested:
2f9677abb2ea68eab864ee8b6a828fd0141612e1 - Latest tested release:
v4.6.57 - Primary files:
src/praisonai/praisonai/code/agent tools.pysrc/praisonai/praisonai/code/tools/read file.pysrc/praisonai/praisonai/code/tools/search replace.pysrc/praisonai/praisonai/code/tools/apply diff.py
Root Cause
agent tools.py initializes workspace root to None and passes it directly to lower-level helpers:python
workspace root: Optional[str] = None
...
result = read file(..., workspace= workspace root)
...
result = search replace(..., workspace= workspace root)The lower-level helpers only enforce containment if
workspace is set:python
if workspace:
if not is path within directory(abs path, workspace):
return {"success": False, ...}The already-hardened
write file() path uses effective workspace = workspace or os.getcwd(). Current tests assert that write file(workspace=None) must stay inside the current working directory. The same fail-closed default is missing from read file, search replace, apply diff, and the agent wrappers that call them.Local-Only Reproduction
Run:
bash
PYTHONPATH=/path/to/PraisonAI/src/praisonai:/path/to/PraisonAI/src/praisonai-agents
python poc code tools workspace bypass.pyExpected vulnerable result:
text
[poc] HIT: CODE TOOLS wrappers read and edit outside workspace when workspace is unsetThe PoV creates a temporary workspace and a temporary file outside that workspace. With
get workspace() == None, code read file() reads the outside file, code search replace() modifies it, and code apply diff() modifies it again. After set workspace(workspace), the same outside path is rejected by all three wrappers.No external services, model providers, or network access are used.
Impact
If an application exposes PraisonAI Code's agent-compatible
CODE TOOLS to an LLM before setting a workspace boundary, prompt-influenced tool calls can read and modify files outside the intended project workspace. The practical attack shape matches the existing PraisonAI prompt-content advisory pattern: untrusted content influences an agent that has been given file-editing tools.Practical impacts include:
- reading host secrets or local configuration files accessible to the process user;
- modifying arbitrary existing files when the attacker can supply or infer matching content for
code search replaceorcode apply diff; - using
code read fileto first learn file content and thencode apply diffto produce an exact modification; - bypassing the advertised workspace-boundary security posture unless the embedding application remembered to call
set workspace()first.
This issue does not claim
set workspace() is ineffective. The control works when configured. The vulnerability is the fail-open default for the advertised agent-tool bundle and adjacent read/edit helpers.Affected-Version Sweep
The same behavior was reproduced on:
- current upstream main:
2f9677abb2ea68eab864ee8b6a828fd0141612e1 v4.6.57v4.6.56v4.6.10v4.6.9v4.5.128v4.5.126v3.9.26v3.9.24
Suggested Fix
Recommended fix:
- Make every low-level file helper compute
effective workspace = workspace or os.getcwd()before resolving paths. - Make
code read file,code list files,code apply diff,code search replace, andcode execute commanduseos.getcwd()as the default workspace whenworkspace root is None. - Keep allowing absolute paths only when they resolve inside the effective workspace.
- Add regression tests proving outside absolute paths are rejected before and after
set workspace(). - Consider failing closed if
CODE TOOLSis used before a workspace is configured, or log a warning when the default current working directory is used.
Disclosure Route
PraisonAI's official security documentation lists GitHub Security Advisories as the preferred reporting method and asks reports to include reproduction steps, affected versions, impact, and suggested fixes. The repository security policy page currently shows no configured
SECURITY.md, but private vulnerability reporting is available.Fix
Information Disclosure
Incorrect Authorization
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonai