CVE-2026-40157
published 2026-04-10CVE-2026-40157: PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without…
PriorityP352high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.38%
29.7th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 2.7.2 < 4.5.128 | 4.5.128 |
| praison | praisonai | < 4.5.128 | 4.5.128 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
ghsa·2026-04-10
CVE-2026-40157 [CRITICAL] CWE-22 PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
| Field | Value |
|---|---|
| Severity | Critical |
| Type | Path traversal -- arbitrary file write via `tar.extract()` without member validation |
| Affected | `src/praisonai/praisonai/cli/features/recipe.py:1170-1172` |
## Summary
`cmd_unpack` in the recipe CLI extracts `.praison` tar archives using raw `tar.extract()` without validating archive member paths. A `.praison` bundle containing `../../` entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run `praisonai recipe unpack`.
## Details
The vulnerable code is in `cli/features/recipe.py:1170-1172`:
```python
for m
VulDB
MervinPraison PraisonAI up to 4.5.127 tar.extract path traversal (GHSA-99g3-w8gr-x37c)
vuldb·2026-04-10·CVSS 9.4
CVE-2026-40157 [CRITICAL] MervinPraison PraisonAI up to 4.5.127 tar.extract path traversal (GHSA-99g3-w8gr-x37c)
A vulnerability was found in MervinPraison PraisonAI up to 4.5.127. It has been declared as critical. Affected is the function tar.extract. Such manipulation leads to path traversal.
This vulnerability is traded as CVE-2026-40157. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published