CVE-2026-44336

May 8, 2026, 7:08 p.m.

9.4
Critical

Description

PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns — the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34.

Product(s) Impacted

Vendor Product Versions
Praison
  • Praisonai
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a praison praisonai / / / / / / / /

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw

Tags

CWE-20
[email protected]
2026-05-08
CVE-2026-44336

CVSS Score

9.4 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 8, 2026, 2:16 p.m.
Last Modified: May 8, 2026, 7:08 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

Linked Attack Reports

How attackers are jailbreaking LLMs with CTF framing and how to catch them

Threat actors are bypassing AI model safety guardrails by framing exploit requests as legitimate security research, such as capture-the-flag challenges or CVE-hunting exercises. This technique manipulates upstream LLMs into generating working exploit code that attackers deploy against real targets.…
credential harvesting
CVE-2026-33017
CVE-2026-39987
ai agent exploitation
CVE-2026-40281
CVE-2026-42208
CVE-2026-42271
CVE-2026-44336
CVE-2026-44694
CVE-2026-42266
CVE-2026-42589
CVE-2026-45331
CVE-2026-45397
CVE-2026-45672
CVE-2026-45301
2026-06-15
ai platform targeting
ctf framing
cve exploitation
CVE-2026-42302
CVE-2026-47391
llm jailbreaking
prompt injection
rce campaigns
Published: June 15, 2026
Linked vulnerabilities : CVE-2026-0770 (CVSS 9.8), CVE-2026-33017 (CVSS 9.3), CVE-2026-39987 (CVSS 9.3), CVE-2026-40281 (CVSS 10.0), CVE-2026-42208 (CVSS 9.3), CVE-2026-42271 (CVSS 8.7), CVE-2026-44336 (CVSS 9.4), CVE-2026-44694 (CVSS 7.2), CVE-2026-42589 (CVSS 9.8), CVE-2026-45331 (CVSS 8.5), CVE-2026-45672 (CVSS 8.8), CVE-2026-45301 (CVSS 8.1), CVE-2026-47391
Downloadable IOCs: 6

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.