{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35615", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:46:15.192Z", "dateUpdated": "2026-04-09T16:18:10.919Z"}, "containers": {"cna": {"title": "PraisonAI has a Path Traversal in FileTools", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5"}, {"name": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113", "tags": ["x_refsource_MISC"], "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.113", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:46:15.192Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113."}], "source": {"advisory": "GHSA-693f-pf34-72c5", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:08:17.336567Z", "id": "CVE-2026-35615", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:18:10.919Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35615", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:08:17.336567Z"}}}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:08:27.044Z"}}], "cna": {"title": "PraisonAI has a Path Traversal in FileTools", "source": {"advisory": "GHSA-693f-pf34-72c5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.113"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113", "name": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:46:15.192Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35615", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:18:10.919Z", "dateReserved": "2026-04-03T21:25:12.163Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:46:15.192Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "A07434ED-BEE4-49D7-88F0-D154BE0D3701", "versionEndExcluding": "1.5.113", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113."}], "id": "CVE-2026-35615", "lastModified": "2026-04-16T01:34:08.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:35.980", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.113)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-07T23:49:21.597877+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAI to version 1.5.113 or later, where the bug has been corrected.", "If an upgrade is not immediately possible, limit the permissions granted to the PraisonAI process so it cannot access or modify files outside its intended directory, and monitor the system for unexpected file activity.", "Confirm that any custom configurations or plugins do not expose the vulnerable path\u2011validation function to untrusted input sources."], "summary": {"action": "Immediate Patch", "impact": "Path Traversal"}, "threat_synthesis": {"affected_systems": "The vendor MervinPraison publishes PraisonAI, and the vulnerability exists in every release before version 1.5.113. Any deployment running those earlier releases remains exposed.", "description_and_impact": "PraisonAI\u2019s FileTools component contains an error in the _validate_path routine. The function first normalizes paths, which collapses any '..' sequences, then checks for the presence of '..' in the already\u2011processed string. Because the collapse step removes those sequences, the subsequent check always succeeds, allowing an adversary to construct paths that escape the intended directory and access any file on the system. This flaw enables reading or modifying arbitrary files, potentially exposing sensitive data or allowing malicious code to be written. The weakness is a classic instance of path traversal as defined by CWE\u201122.", "risk_and_exploitability": "The reported score for this issue is 9.2, indicating high severity with substantial impact on confidentiality, integrity, and availability. No publicly available exploit probability metric has been released. The flaw has not been documented in the relevant exploitation catalog. The attack likely involves either local or remote access to the component that can feed crafted file paths; once triggered, an attacker can read configuration files, secrets, or write arbitrary files, potentially leading to system compromise."}}}}, "created": "2026-04-08T19:36:41.552480+00:00", "updated": "2026-04-08T19:47:45.062182+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}