CVE-2026-61432 in PraisonAIinfo

Summary

by MITRE • 07/10/2026

PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep_search, glob_search, read_file, or list_directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The PraisonAI vulnerability represents a critical path traversal flaw in the FastContext feature that undermines fundamental security boundaries within the software architecture. This vulnerability exists specifically within the FastContextAgent.execute_tool() method where the system fails to properly validate and sanitize file paths before processing user inputs or model-generated function calls. The flaw stems from the improper handling of workspace containment logic, where the configured workspace_path is only prepended to relative paths while absolute paths are accepted without validation, creating a direct pathway for attackers to escape the intended execution environment.

The technical implementation of this vulnerability exploits the lack of proper path canonicalization and validation mechanisms within the context processing pipeline. When tools such as grep_search, glob_search, read_file, or list_directory receive arguments containing absolute paths or directory traversal sequences like '../', the system fails to reject these inputs or normalize the resulting paths before enforcing workspace boundaries. This design flaw allows attackers to manipulate the execution flow by providing carefully crafted inputs that bypass the intended workspace containment measures, effectively granting unauthorized access to files outside the designated working directory.

The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to enumerate entire directory structures, read arbitrary files, and potentially inject malicious content into the model's tool-result context. This creates a significant risk for systems where PraisonAI operates with elevated privileges or accesses sensitive data repositories. The vulnerability can be exploited through various attack vectors including model-generated function calls that may contain malicious path manipulation attempts, making it particularly dangerous in automated environments where AI systems interact with file system resources.

Security practitioners should recognize this vulnerability as a variant of CWE-22 Path Traversal and aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter through its exploitation of file system access mechanisms. The lack of proper input validation and path normalization creates an environment where attackers can escalate privileges and gain unauthorized access to sensitive information. Organizations using PraisonAI versions prior to 1.6.78 should implement immediate mitigations including patching to the latest version, implementing strict input validation for all file operations, and configuring robust path canonicalization mechanisms that ensure all paths are properly normalized before workspace containment checks are enforced.

The remediation approach requires comprehensive security controls that address both the immediate vulnerability and prevent similar issues in related components. System administrators should enforce mandatory path validation that rejects absolute paths and normalizes all user-supplied paths regardless of their initial format. Additionally, implementing proper sandboxing mechanisms for file system operations and establishing strict access controls around workspace directories will significantly reduce the attack surface. The vulnerability highlights the critical importance of proper input sanitization in AI systems where model-generated inputs can be leveraged to bypass traditional security controls, emphasizing the need for defense-in-depth strategies that protect against both known and unknown attack vectors.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!