プラットフォーム
python
コンポーネント
praisonaiai
修正版
4.5.114
CVE-2026-35615 describes a critical Path Traversal vulnerability affecting PraisonAI, a multi-agent teams system. Due to a flawed validation check within the validatepath() function, attackers can bypass security measures and access arbitrary files on the system. This vulnerability impacts versions 1.5.0 through 4.5.112 and is resolved in version 1.5.113.
This Path Traversal vulnerability allows an attacker to read any file accessible to the PraisonAI process. This includes sensitive configuration files, user data, and potentially even system files. Successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. The lack of proper path validation means an attacker doesn't need to perform complex manipulation; simply crafting a request with malicious path components is sufficient to bypass the intended security check. The ability to read arbitrary files significantly expands the attack surface and potential impact of this vulnerability.
CVE-2026-35615 was publicly disclosed on 2026-04-07. No known public exploits or active campaigns targeting this vulnerability have been reported as of this writing. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring.
Organizations deploying PraisonAI in environments with limited access controls or those running older, unpatched versions (1.5.0 - 4.5.112) are particularly at risk. Shared hosting environments where multiple users share the same PraisonAI instance are also vulnerable, as an attacker could potentially exploit this vulnerability to access data belonging to other users.
• python: Monitor PraisonAI process logs for requests containing '..' or '/' characters.
# Example: Check for suspicious paths in PraisonAI logs
import re
with open('praisonai.log', 'r') as f:
for line in f:
if re.search(r'\|/', line):
print(f'Suspicious path detected: {line}')• generic web: Use curl or wget to attempt path traversal attacks against PraisonAI endpoints.
curl 'http://praisonai/../../../../etc/passwd' # Example path traversal attempt• linux / server: Use lsof to identify processes accessing sensitive files.
lsof /etc/passwd | grep praisonaidisclosure
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-35615 is to immediately upgrade PraisonAI to version 1.5.113 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious path characters (e.g., '..', '/', '\'). Restrict file access permissions for the PraisonAI process to the absolute minimum required for its operation. Monitor system logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to access a restricted file via a crafted path traversal request; the request should be denied.
PraisonAIをバージョン1.5.113以降にアップデートすることで、ディレクトリ・トラバーサルの脆弱性を軽減できます。アップデートにより、不正なパス検証が修正され、攻撃者がシステム上の任意のファイルにアクセスすることを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-35615 is a critical vulnerability in PraisonAI versions 1.5.0 through 4.5.112 that allows attackers to read any file on the system due to a flawed path validation check.
You are affected if you are running PraisonAI versions 1.5.0 through 4.5.112. Upgrade to version 1.5.113 or later to resolve this vulnerability.
The recommended fix is to upgrade PraisonAI to version 1.5.113 or later. As a temporary workaround, implement a WAF to block suspicious path characters.
No active exploitation campaigns have been reported as of this writing, but the vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
Refer to the PraisonAI security advisory for detailed information and updates: [Replace with actual PraisonAI advisory URL when available]
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。