← Back
CVE-2026-44336
critical
CVSS 9.6
Vulnerability in praison (CVE-2026-44336)
Summary
vulnerability in praison (CVE-2026-44336). Successful exploitation can lead to full system takeover. Exploitable via ``praisonai.rules.create``.
AI summary openai / gpt-4o
PraisonAI's system had a flaw allowing attackers to write and execute unauthorized code by altering specific files. This issue is resolved in version 4.6.34, and it is recommended to update as soon as possible and check for any abnormal activities within your systems.
PraisonAI's MCP server (praisonai mcp serve) registers four file-handling tools by default and accepts arguments without validation from MCP tools/call. By passing "rule_name" as "../../<path>", attackers can write to arbitrary files outside the intended directory. Placing a Python .pth in the user site-packages leads to arbitrary code execution. Affected versions are prior to 4.6.34, and the issue is fixed in version 4.6.34. These path traversal vulnerabilities allow attackers to easily achieve remote code execution.
❓ What is the problem
PraisonAI MCP server's file-handling tools allow attackers to execute arbitrary code by manipulating file paths.
📍 Affected scope
MCP server tool endpoints: 'praisonai.rules.create', 'praisonai.rules.show', 'praisonai.rules.delete', 'praisonai.workflow.show'.
🔥 Severity
Critical severity with a CVSS v3 score of 9.6, indicating high potential for remote unauthorized access and code execution.
🔧 How to fix
Upgrade to PraisonAI version 4.6.34 to resolve the issues.
🛡️ Workaround
No specific workaround available, recommend immediate patching.
🔍 Detection
Monitor for unexpected .pth file writes in user site-packages directories and unusual file access patterns in ~/.praison/rules/.
Related past incidents Similar incidents extracted from past CVEs
CVE-2021-41773
This vulnerability involved an Apache HTTP server path traversal issue that also allowed for remote content exposure or execution.
CVE-2022-22965
Also known as Spring4Shell, a vulnerability enabling remote code execution via data binding in Spring Core.
CVE-2021-21972
An RCE vulnerability in VMware vCenter Server stemming from improper URL path handling, similar path traversal root causes.
If this happens at your company Expected impact per business scenario
📌 E-commerce platform hosting
The platform could be compromised through unauthorized code executions, leading to data breaches and financial losses.
📌 Internal IT system management
Sensitive internal systems could be exposed to unauthorized access or manipulation, affecting data integrity and operational continuity.
📌 Machine Learning Model Management
AI models could be manipulated, affecting outcomes and decision-making processes critical to business operations.
Recommended action
Urgently update PraisonAI to version 4.6.34 or later and monitor systems for signs of compromise.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'praison' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `praison` を grep し、稼働しているサービス・バージョンを把握する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- exploit [email protected]