CVE-2026-60089 in PraisonAIinfo

Summary

by MITRE • 07/10/2026

PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

PraisonAI is a python package designed to facilitate agent-based workflows and automation within development environments. The vulnerability exists in versions prior to 1.6.78 where the system automatically loads configuration defaults from a local .praisonai/config.toml file during Agent construction. This behavior creates a significant security risk through improper input validation and path handling mechanisms that allow maliciously crafted configuration files to manipulate where agent outputs are written. The core technical flaw resides in the lack of validation for the defaults.output.output_file path parameter, which permits absolute paths or directory traversal sequences such as '..' that can escape the intended project boundaries.

The operational impact of this vulnerability is severe and directly exploitable through repository-controlled configuration files. When a developer checks out a malicious repository containing a specially crafted .praisonai/config.toml file, the system will automatically read the output_file path without proper sanitization. If the agent.start() method is called without explicitly overriding the output parameter, PraisonAI will write its response to the specified location, recursively creating parent directories as needed. This allows an attacker to overwrite files anywhere on the filesystem with the privileges of the user executing the tool, potentially leading to privilege escalation, data corruption, or even system compromise depending on execution context and file permissions.

This vulnerability maps directly to CWE-22 Improper Limitation of a Pathname to a Restricted Directory and CWE-73 Hardcoded Temporary File, as it allows arbitrary file writing outside of intended boundaries through configuration manipulation. From an attack perspective, this aligns with ATT&CK technique T1059 Command and Scripting Interpreter and T1499 Endpoint Denial of Service, as it can be exploited to overwrite critical system files or cause denial of service through file corruption. The vulnerability also relates to T1566 Impersonation of a Trusted User or Service, as it leverages the trust placed in repository content to execute unauthorized file operations.

The primary mitigation strategy involves implementing strict input validation for all path parameters loaded from external configuration files, particularly those related to output destinations. Developers should ensure that any path specified in configuration files is validated against a whitelist of acceptable directories or normalized to prevent directory traversal attacks. The recommended solution includes implementing absolute path validation, restricting file operations to project-local directories only, and ensuring that the tool does not automatically load potentially malicious configuration files without explicit user consent. Additionally, developers should be educated about the risks of executing code from untrusted repositories and should implement proper sandboxing or containerization for automated agent execution environments. The fix should enforce that output paths are either relative to the project root or explicitly validated against a secure baseline before any file operations are permitted.

Responsible

VulnCheck

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!