PT-2026-53551 · Pypi · Praisonai
Published
2026-06-29
·
Updated
2026-06-29
CVSS v3.1
9.0
Critical
| Vector | AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H |
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (
../) in the target path, malicious actions can overwrite sensitive system files or drop executable payloads on the host.Details
Location:
src/praisonai/praisonai/cli/features/action orchestrator.py (Lines 402, 409, 423)Vulnerable Code snippet:
python
target = workspace / step.targetIn the
apply step method, paths are constructed by concatenating the workspace path with a user-supplied step.target string: target = workspace / step.target. The code fails to resolve and validate that the final absolute path remains within the bounds of the workspace directory. When processing FILE CREATE or FILE EDIT actions, this flaw permits arbitrary file modification.PoC
Construct a malicious
ActionStep payload with path traversal characters:python
from praisonai.cli.features.action orchestrator import ActionStep, ActionType, ActionStatus
# Payload targeting a file outside the workspace
step = ActionStep(
id="test traversal",
action type=ActionType.FILE CREATE,
description="Malicious file write",
target="../../../../../../../tmp/orchestrator pwned.txt",
params={"content": "pwned"},
status=ActionStatus.APPROVED
)
# When the orchestrator applies this step, it writes to the traversed path
# apply step(step)Impact
This is an Arbitrary File Write vulnerability. Anyone running the Action Orchestrator to apply modifications is vulnerable. A malicious prompt could trick the agent into generating a plan that overwrites critical files (e.g.,
~/.ssh/authorized keys, .bashrc) leading to Remote Code Execution (RCE) or system corruption.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonai