Path Traversal Vulnerability in PraisonAI by MervinPraison
CVE-2026-60089
What is CVE-2026-60089?
The PraisonAI software (specifically the pip package praisonaiagents) contains a vulnerability that allows unsanitized values from a project-local .praisonai/config.toml file to dictate where output files are saved. When users initialize an Agent without providing an explicit output file path, the defaults are automatically loaded, which may include malicious paths set by an attacker. This leads to a situation where an attacker can manipulate the output_file setting to an absolute or '..' traversal path, effectively granting them the ability to overwrite files outside the project's root directory. This behavior poses significant security risks as it operates with the privileges of the user running PraisonAI, enabling unauthorized file access and potential system harm.
Affected Version(s)
PraisonAI 0 < 1.6.78
PraisonAI 1.6.78
