File Path Traversal Vulnerability in PraisonAI Multi-Agent System by PraisonAI
CVE-2026-44336

9.4CRITICAL

Key Information:

Vendor

Mervinpraison

Status
Praisonai
Vendor
CVE Published:
8 May 2026

What is CVE-2026-44336?

The PraisonAI multi-agent system has a vulnerability in its MCP server where it improperly handles file paths. Before version 4.6.34, specific tool handlers could be manipulated to allow an attacker to traverse the file directory, letting them write files outside of intended directories. This loophole, if exploited, enables potential arbitrary code execution by dropping malicious files in user-accessible directories. This vulnerability has been addressed in the latest versions to enhance security.

Affected Version(s)

PraisonAI < 4.6.34

References

https://github.com/MervinPraison/PraisonAI/security/advis...
x_refsource_CONFIRM

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.