Arbitrary File Write Vulnerability in PraisonAI by Mervin Praison
CVE-2026-39308

7.1HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 7 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-39308?

PraisonAI, a multi-agent teams system, has a vulnerability in its recipe registry publish endpoint prior to version 1.5.113. This issue allows malicious users to exploit path traversal sequences in the bundle manifest, potentially enabling them to write files outside the designated registry root. If the registry operates without token protection, any network client can exploit this flaw. Even when a token is in place, users with publish access can still trigger the vulnerability. Although the requests would return an HTTP 400 error, the underlying risk of exposing the registry remains significant. The vulnerability is resolved in version 1.5.113.

Affected Version(s)

PraisonAI < 4.5.113

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39308 Data

JSON