Path Traversal Vulnerability in PraisonAI by MervinPraison
CVE-2026-60089

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-60089?

The PraisonAI software (specifically the pip package praisonaiagents) contains a vulnerability that allows unsanitized values from a project-local .praisonai/config.toml file to dictate where output files are saved. When users initialize an Agent without providing an explicit output file path, the defaults are automatically loaded, which may include malicious paths set by an attacker. This leads to a situation where an attacker can manipulate the output_file setting to an absolute or '..' traversal path, effectively granting them the ability to overwrite files outside the project's root directory. This behavior poses significant security risks as it operates with the privileges of the user running PraisonAI, enabling unauthorized file access and potential system harm.

Affected Version(s)

PraisonAI 0 < 1.6.78

PraisonAI 1.6.78

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.