Plattform
nodejs
Komponente
praisonai
Behoben in
4.5.114
CVE-2026-39308 describes a Path Traversal vulnerability discovered in PraisonAI Recipe Registry. This flaw allows attackers to potentially write arbitrary files to the registry host by manipulating the manifest file within uploaded recipe bundles. Versions 1.5.0 through 4.5.113 are affected. A fix is available in version 1.5.113.
An attacker exploiting this vulnerability could leverage strategically crafted manifest files within recipe bundles to write arbitrary files to the PraisonAI Recipe Registry server's filesystem. This could lead to a range of impacts, including overwriting critical system files, injecting malicious code, or gaining persistent access to the system. The ability to write files outside the designated registry root significantly expands the potential attack surface and blast radius. While the initial request is rejected with an HTTP 400 error, the damage is already done as the file creation occurs prior to the rejection.
CVE-2026-39308 was publicly disclosed on 2026-04-07. Currently, there are no known public proof-of-concept exploits available. The vulnerability's EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing PraisonAI Recipe Registry in production environments, particularly those with automated deployment pipelines or allowing external recipe bundle uploads, are at risk. Shared hosting environments where multiple users can upload recipe bundles are also particularly vulnerable.
• nodejs / server:
grep -r '../' /var/log/nginx/access.log• nodejs / server:
journalctl -u praisonai-registry -g 'manifest.json'• generic web:
curl -I http://your-praisonai-registry/api/v1/recipes/upload | grep 'Server:'disclosure
Exploit-Status
EPSS
0.06% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39308 is to upgrade PraisonAI Recipe Registry to version 1.5.113 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing stricter input validation on the recipe bundle manifest files to prevent the inclusion of traversal sequences (e.g., ../). Web application firewalls (WAFs) configured to detect and block requests containing such sequences can also provide a temporary layer of protection. Monitor registry server logs for suspicious file creation activity, particularly in unexpected directories.
Actualice PraisonAI a la versión 1.5.113 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Asegúrese de que el acceso al registro de recetas esté protegido con un token para evitar el acceso no autorizado. Revise y configure adecuadamente los permisos de escritura en el directorio del registro para limitar el acceso a los archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39308 is a Path Traversal vulnerability affecting PraisonAI Recipe Registry versions 1.5.0 through 4.5.113, allowing attackers to potentially write arbitrary files to the registry host.
You are affected if you are running PraisonAI Recipe Registry versions 1.5.0 through 4.5.113. Upgrade to version 1.5.113 or later to mitigate the risk.
Upgrade PraisonAI Recipe Registry to version 1.5.113 or later. As a temporary workaround, implement a WAF rule to block requests with directory traversal sequences in the manifest file name.
There are currently no confirmed reports of active exploitation of CVE-2026-39308.
Refer to the PraisonAI security advisory for detailed information and updates: [https://praisonai.com/security/advisories](https://praisonai.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.