Path Traversal Vulnerability in PraisonAIAgents Multi-Agent Teams System
CVE-2026-40152

5.3MEDIUM

Key Information:

Vendor

Mervinpraison

Status
Praisonaiagents
Vendor
CVE Published:
9 April 2026

What is CVE-2026-40152?

The PraisonAIAgents system, designed for multi-agent teams, contains a path traversal vulnerability in the list_files() utility of FileTools. Prior to version 1.5.128, the tool's directory parameter validation process allowed direct passing of user-supplied patterns to the Python Path.glob() function without appropriate checks. This oversight can permit attackers to exploit relative path traversal, thereby gaining access to sensitive metadata of files located outside the designated workspace, including file existence, names, sizes, and timestamps. This significant flaw highlights the importance of validating user inputs adequately to safeguard against potential threats.

Affected Version(s)

PraisonAIAgents < 1.5.128

References

https://github.com/MervinPraison/PraisonAI/security/advis...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.