PraisonAI path traversal leads to RCE (CVE-2026-44336)

Patch now - CVE-2026-44336 is a critical path traversal vulnerability in PraisonAI 4.6.33 and earlier that lets unauthenticated remote attackers write arbitrary files and achieve code execution on any Python process the user runs.

Overview

CVE-2026-44336 affects PraisonAI’s MCP (Model Context Protocol) server component. Four default file-handling tools (praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show) accept user-supplied path or filename strings without validation. The tools join these strings onto the ~/.praison/rules/ base directory (or treat them as absolute paths for workflow.show) without checking for directory traversal sequences like ../../.

The root cause is twofold: the JSON-RPC dispatcher passes raw params["arguments"] to handler functions via **kwargs without validating them against the advertised input schema, and the path-joining logic performs no containment check against the allowed directory.

Exploitation path

An attacker can set rule_name=../../.local/lib/python3.x/site-packages/evil.pth to drop a Python .pth file into the user’s site-packages directory. Python automatically executes code from .pth files on interpreter startup, giving the attacker arbitrary code execution in any subsequent Python process the user spawns - including PraisonAI CLI runs, IDE script execution, or background Python services.

Impact

• CVSS 9.6 (Critical) with NETWORK attack vector, LOW complexity, and NO privileges required
• Full arbitrary file write as the running user
• Escalation to remote code execution via Python .pth injection
• No authentication required for exploitation
• Only user interaction is required (victim must run the MCP server)

Remediation

Update PraisonAI to version 4.6.34 immediately. The patch adds proper path containment validation to all MCP file-handling tools, preventing directory traversal attacks. No workarounds are available - the vulnerable MCP tools cannot be safely disabled without breaking core functionality.

Security Insight

This vulnerability follows a pattern seen in AI development frameworks rushed to market: exposing powerful filesystem operations through agentic interfaces without applying standard input validation. The **kwargs blind pass-through pattern is a recurring risk in AI tool dispatchers, where rapid prototyping shortcuts security fundamentals. Organizations running AI agent frameworks should audit their MCP-like tool dispatchers for similar parameter injection paths - the same pattern could allow attackers to pivot from tool calling to full host compromise in any framework that mirrors this architecture. As noted in discussions of AI SOC agent hype, the rush to integrate autonomous tools often overlooks basic containment boundaries.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs