Platform
python
Component
praisonaiai
Fixed in
4.5.114
CVE-2026-35615 describes a critical Path Traversal vulnerability affecting PraisonAI, a multi-agent teams system. Due to a flawed validation check within the validatepath() function, attackers can bypass security measures and access arbitrary files on the system. This vulnerability impacts versions 1.5.0 through 4.5.112 and is resolved in version 1.5.113.
This Path Traversal vulnerability allows an attacker to read any file accessible to the PraisonAI process. This includes sensitive configuration files, user data, and potentially even system files. Successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. The lack of proper path validation means an attacker doesn't need to perform complex manipulation; simply crafting a request with malicious path components is sufficient to bypass the intended security check. The ability to read arbitrary files significantly expands the attack surface and potential impact of this vulnerability.
CVE-2026-35615 was publicly disclosed on 2026-04-07. No known public exploits or active campaigns targeting this vulnerability have been reported as of this writing. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35615 is to immediately upgrade PraisonAI to version 1.5.113 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious path characters (e.g., '..', '/', '\'). Restrict file access permissions for the PraisonAI process to the absolute minimum required for its operation. Monitor system logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to access a restricted file via a crafted path traversal request; the request should be denied.
Actualice PraisonAI a la versión 1.5.113 o superior para mitigar la vulnerabilidad de recorrido de directorios. La actualización corrige la validación incorrecta de rutas, evitando que los atacantes accedan a archivos arbitrarios en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35615 is a critical vulnerability in PraisonAI versions 1.5.0 through 4.5.112 that allows attackers to read any file on the system due to a flawed path validation check.
You are affected if you are running PraisonAI versions 1.5.0 through 4.5.112. Upgrade to version 1.5.113 or later to resolve this vulnerability.
The recommended fix is to upgrade PraisonAI to version 1.5.113 or later. As a temporary workaround, implement a WAF to block suspicious path characters.
No active exploitation campaigns have been reported as of this writing, but the vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
Refer to the PraisonAI security advisory for detailed information and updates: [Replace with actual PraisonAI advisory URL when available]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.