CVE-2026-40117
published 2026-04-09CVE-2026-40117: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.23%
14.1th percentile
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonaiagents | < 1.5.128 | 1.5.128 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.128 | 1.5.128 |
| praison | praisonaiagents | < 1.5.128 | 1.5.128 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAIAgents up to 1.5.127 skill_tools.py read_skill_file skill_path authorization (GHSA-grrg-5cg9-58pf)
vuldb·2026-04-10·CVSS 6.2
CVE-2026-40117 [MEDIUM] MervinPraison PraisonAIAgents up to 1.5.127 skill_tools.py read_skill_file skill_path authorization (GHSA-grrg-5cg9-58pf)
A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127. It has been declared as problematic. Impacted is the function read_skill_file of the file skill_tools.py. Such manipulation of the argument skill_path leads to missing authorization.
This vulnerability is listed as CVE-2026-40117. The attack must be carried out locally. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
ghsa·2026-04-10
CVE-2026-40117 [MEDIUM] CWE-862 PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
## Summary
`read_skill_file()` in `skill_tools.py` allows reading arbitrary files from the filesystem by accepting an unrestricted `skill_path` parameter. Unlike `file_tools.read_file` which enforces workspace boundary confinement, and unlike `run_skill_script` which requires critical-level approval, `read_skill_file` has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt.
## Details
The vulnerability is a missing authorization check in `read_skill_file()` at `src/praisonai-agents/praisonaiagents/tools/skill_tools.py:128`.
The function's path validation on line 163 only ensures `file_path` doesn't escape `s
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published