Platform
nodejs
Component
praisonai
Fixed in
4.5.114
CVE-2026-39308 describes a Path Traversal vulnerability discovered in PraisonAI Recipe Registry. This flaw allows attackers to potentially write arbitrary files to the registry host by manipulating the manifest file within uploaded recipe bundles. Versions 1.5.0 through 4.5.113 are affected. A fix is available in version 1.5.113.
The vulnerability stems from insufficient validation of the manifest file's path during recipe bundle uploads. An attacker can craft a malicious recipe bundle containing a manifest file with directory traversal sequences (e.g., ../). When the PraisonAI Recipe Registry processes this bundle, it may write files to locations outside the intended registry root directory. This could allow an attacker to overwrite critical system files, potentially leading to remote code execution or denial of service. The impact is amplified if the registry server runs with elevated privileges, as this would grant the attacker broader control over the system.
CVE-2026-39308 was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade PraisonAI Recipe Registry to version 1.5.113 or later, which includes the necessary validation checks. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences in the manifest file name. Additionally, restrict write access to the registry root directory to only authorized processes. Regularly review and audit uploaded recipe bundles for suspicious content. After upgrade, confirm the fix by attempting to upload a recipe bundle with a malicious manifest file containing directory traversal sequences; the upload should be rejected with an appropriate error.
Actualice PraisonAI a la versión 1.5.113 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Asegúrese de que el acceso al registro de recetas esté protegido con un token para evitar el acceso no autorizado. Revise y configure adecuadamente los permisos de escritura en el directorio del registro para limitar el acceso a los archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39308 is a Path Traversal vulnerability affecting PraisonAI Recipe Registry versions 1.5.0 through 4.5.113, allowing attackers to potentially write arbitrary files to the registry host.
You are affected if you are running PraisonAI Recipe Registry versions 1.5.0 through 4.5.113. Upgrade to version 1.5.113 or later to mitigate the risk.
Upgrade PraisonAI Recipe Registry to version 1.5.113 or later. As a temporary workaround, implement a WAF rule to block requests with directory traversal sequences in the manifest file name.
There are currently no confirmed reports of active exploitation of CVE-2026-39308.
Refer to the PraisonAI security advisory for detailed information and updates: [https://praisonai.com/security/advisories](https://praisonai.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.