CVE-2026-47394
published 2026-05-30CVE-2026-47394: A vulnerability classified as critical was found in MervinPraison PraisonAI. This affects the function workflow.show/workflow.validate/deploy.validate…
critical9.4
A vulnerability classified as critical was found in MervinPraison PraisonAI. This affects the function workflow.show/workflow.validate/deploy.validate. Executing a manipulation can lead to path traversal.
This vulnerability is tracked as CVE-2026-47394. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
ghsa·2026-06-18
CVE-2026-47394 [HIGH] CWE-200 PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
# PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
## Summary
PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools
through `ctx.get_tools()`:
```python
ctx = setup_dynamic_context()
agent = Agent(
instructions="You are a data analyst.",
tools=ctx.get_tools(),
hooks=[ctx.get_middleware()],
)
```
The official documentation describes these helpers as a way for the agent to
explore large tool-output artifacts that were queued by the middleware:
- large tool outputs are saved as artifacts;
- the agent receives compact artifact references; and
- the agent uses `artifact_tail` and `artifact_grep` to explore that data.
The implemented
VulDB
MervinPraison PraisonAI up to 4.6.37 workflow.show/workflow.validate/deploy.validate path traversal
vuldb·2026-05-30
CVE-2026-47394 [CRITICAL] MervinPraison PraisonAI up to 4.6.37 workflow.show/workflow.validate/deploy.validate path traversal
A vulnerability classified as critical was found in MervinPraison PraisonAI. This affects the function workflow.show/workflow.validate/deploy.validate. Executing a manipulation can lead to path traversal.
This vulnerability is tracked as CVE-2026-47394. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
ghsa·2026-05-29·CVSS 9.4
CVE-2026-47394 [CRITICAL] CWE-200 PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
## Summary
The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`:
> "registers four file-handling tools by default, `praisonai.rules.create`, `praisonai.rules.show`, `praisonai.rules.delete`, **and `praisonai.workflow.show`**. Each accepts a path or filename string from MCP `tools/call` arguments… **with no containment check**."
Commit `68cc9427` ("fix(security): harden MCP rules path handling…") added a `_resolve_rule_path()` helper and applied it to `rules.create`, `rules.show`, and `rules.delete`. `workflow.show` was left unchanged. Two adjacent handlers i
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-30
Published