Summary
The MultiAgentLedger and MultiAgentMonitor components in the provided code exhibit vulnerabilities that can lead to context leakage and arbitrary file operations. Specifically:
- Memory State Leakage via Agent ID Collision: The
MultiAgentLedgeruses a dictionary to store ledgers by agent ID without enforcing uniqueness. This allows agents with the same ID to share ledger instances, leading to potential leakage of sensitive context data. - Path Traversal in MultiAgentMonitor: The
MultiAgentMonitorconstructs file paths by concatenating thebase_pathand agent ID without sanitization. This allows an attacker to escape the intended directory using path traversal sequences (e.g.,../), potentially leading to arbitrary file read/write.
Details
Vulnerability 1: Memory State Leakage
- File:
examples/context/12_multi_agent_context.py:68 - Description: The
MultiAgentLedgerclass uses a dictionary (self.ledgers) to store ledger instances keyed by agent ID. Theget_agent_ledgermethod creates a new ledger only if the agent ID is not present. If two agents are registered with the same ID, they will share the same ledger instance. This violates the isolation policy and can lead to leakage of sensitive context data (system prompts, conversation history) between agents. - Exploitability: An attacker can register an agent with the same ID as a victim agent to gain access to their ledger. This is particularly dangerous in multi-tenant systems where agents may handle sensitive user data.
Vulnerability 2: Path Traversal
- File:
examples/context/12_multi_agent_context.py:106 - Description: The
MultiAgentMonitorclass constructs file paths for agent monitors by directly concatenating thebase_pathand agent ID. Since the agent ID is not sanitized, an attacker can provide an ID containing path traversal sequences (e.g.,../../malicious). This can result in files being created or read outside the intended directory (base_path). - Exploitability: An attacker can create an agent with a malicious ID (e.g.,
../../etc/passwd) to write or read arbitrary files on the system, potentially leading to information disclosure or file corruption.
PoC
Memory State Leakage
multi_ledger = MultiAgentLedger()
# Victim agent (user1) registers and tracks sensitive data
victim_ledger = multi_ledger.get_agent_ledger('user1_agent')
victim_ledger.track_system_prompt("Sensitive system prompt")
victim_ledger.track_history([{"role": "user", "content": "Secret data"}])
# Attacker registers with the same ID
attacker_ledger = multi_ledger.get_agent_ledger('user1_agent')
# Attacker now has access to victim's ledger
print(attacker_ledger.get_ledger().system_prompt) # Outputs: "Sensitive system prompt"
print(attacker_ledger.get_ledger().history) # Outputs: [{'role': 'user', 'content': 'Secret data'}]
Path Traversal
with tempfile.TemporaryDirectory() as tmpdir:
multi_monitor = MultiAgentMonitor(base_path=tmpdir)
# Create agent with malicious ID
malicious_id = '../../malicious'
monitor = multi_monitor.get_agent_monitor(malicious_id)
# The monitor file is created outside the intended base_path
# Example: if tmpdir is '/tmp/safe_dir', the actual path might be '/tmp/malicious'
print(monitor.path) # Outputs: '/tmp/malicious' (or equivalent)
For Memory State Leakage
- Enforce unique agent IDs at the application level. If the application expects unique IDs, add a check during agent registration to prevent duplicates.
- Alternatively, modify the
MultiAgentLedgerto throw an exception if an existing agent ID is reused (unless explicitly allowed).
For Path Traversal
- Sanitize agent IDs before using them in file paths. Replace any non-alphanumeric characters (except safe ones like underscores) or remove path traversal sequences.
- Use
os.path.joinandos.path.realpathto resolve paths, then check that the resolved path starts with the intended base directory.
Example fix for MultiAgentMonitor:
import os
def get_agent_monitor(self, agent_id: str):
# Sanitize agent_id to remove path traversal
safe_id = os.path.basename(agent_id.replace('../', '').replace('..\\', ''))
# Alternatively, use a strict allow-list of characters
# Construct path and ensure it's within base_path
agent_path = os.path.join(self.base_path, safe_id)
real_path = os.path.realpath(agent_path)
real_base = os.path.realpath(self.base_path)
if not real_path.startswith(real_base):
raise ValueError(f"Invalid agent ID: {agent_id}")
...
Additionally, consider using a dedicated function for sanitizing filenames.
Impact
- Memory State Leakage: This vulnerability can lead to unauthorized access to sensitive agent context, including system prompts and conversation history. In a multi-tenant system, this could result in cross-user data leakage.
- Path Traversal: An attacker can read or write arbitrary files on the system, potentially leading to information disclosure, denial of service (by overwriting critical files), or remote code execution (if executable files are overwritten).
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-56078 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.5.115); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-56078? CVE-2026-56078 is a medium-severity path traversal vulnerability in praisonaiagents (pip), affecting versions <= 1.5.114. It is fixed in 1.5.115. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-56078? CVE-2026-56078 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of praisonaiagents are affected by CVE-2026-56078? praisonaiagents (pip) versions <= 1.5.114 is affected.
- Is there a fix for CVE-2026-56078? Yes. CVE-2026-56078 is fixed in 1.5.115. Upgrade to this version or later.
- Is CVE-2026-56078 exploitable, and should I be worried? Whether CVE-2026-56078 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-56078 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-56078? Upgrade
praisonaiagentsto 1.5.115 or later.