GHSA-J7QX-P75M-WP7G

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
Details

PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage

Summary

PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools through ctx.get_tools():

ctx = setup_dynamic_context()

agent = Agent(
    instructions="You are a data analyst.",
    tools=ctx.get_tools(),
    hooks=[ctx.get_middleware()],
)

The official documentation describes these helpers as a way for the agent to explore large tool-output artifacts that were queued by the middleware:

  • large tool outputs are saved as artifacts;
  • the agent receives compact artifact references; and
  • the agent uses artifact_tail and artifact_grep to explore that data.

The implemented artifact tools do not enforce that the supplied artifact_path is an artifact created by the configured store or that it lives under the configured artifact base directory. Instead, artifact_head, artifact_tail, artifact_grep, and artifact_chunk wrap the caller-supplied path directly into an ArtifactRef and then read it from the host filesystem.

As a result, any prompt/user/tool-caller that can influence those tool arguments can read files readable by the PraisonAI process, such as project .env files, cloud credentials, SSH keys, source files, or other local data.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: pip
  • Package: praisonai
  • Component: Dynamic Context Discovery artifact tools
  • Current source path: src/praisonai/praisonai/context/queue.py
  • Artifact store path: src/praisonai/praisonai/context/artifact_store.py
  • Latest PyPI version validated: 4.6.58
  • Current origin/main validated: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
  • Current origin/main tag validated: v4.6.58

Suggested affected range:

pip:praisonai >= 3.8.1, <= 4.6.58

Representative local sweep:

  • 3.8.1: vulnerable
  • 4.0.0: vulnerable
  • 4.5.113: vulnerable
  • 4.6.33: vulnerable
  • 4.6.34: vulnerable
  • 4.6.40: vulnerable
  • 4.6.50: vulnerable
  • 4.6.58: vulnerable

Root Cause

create_artifact_tools() creates an artifact store bound to base_dir, but the read tools do not use base_dir for containment.

For example, artifact_head() accepts artifact_path and immediately creates an ArtifactRef with that path:

def artifact_head(artifact_path: str, lines: int = 50) -> str:
    ref = ArtifactRef(path=artifact_path, summary="", size_bytes=0)
    try:
        return artifact_store.head(ref, lines=lines)
    except FileNotFoundError:
        return f"Error: Artifact not found: {artifact_path}"

artifact_tail(), artifact_grep(), and artifact_chunk() have the same pattern. They trust the caller-supplied path rather than resolving it through an artifact identifier, store lookup, manifest, or base-directory containment check.

The store methods then read that path directly:

def head(self, ref: ArtifactRef, lines: int = 50) -> str:
    file_path = Path(ref.path)
    if not file_path.exists():
        raise FileNotFoundError(f"Artifact not found: {ref.path}")

    result_lines = []
    with open(file_path, "r", encoding="utf-8", errors="replace") as f:
        ...

There is no check equivalent to:

resolved = Path(ref.path).resolve()
base = self.base_dir.resolve()
resolved.relative_to(base)

There is also no check that the file has a valid .meta sidecar or appears in artifact_list().

Local PoV

Run against the latest PyPI package:

uv run --with 'praisonai==4.6.58' \
  python poc/pov_prai_cand_026_artifact_tools_arbitrary_file_read.py --json

The PoV:

  1. Creates a temporary artifact base directory.
  2. Creates a separate outside-secret.txt file outside that base directory.
  3. Stores one legitimate artifact through FileSystemArtifactStore.store().
  4. Calls artifact_head() on the legitimate artifact as a positive control.
  5. Calls artifact_head(), artifact_grep(), and artifact_chunk() on the outside file path.
  6. Confirms artifact_list() does not list the outside file.

Observed output summary from evidence/pov-pypi-4.6.58.json:

{
  "package": "praisonai",
  "package_version": "4.6.58",
  "controls": {
    "outside_file_not_listed": true,
    "outside_file_outside_base_dir": true,
    "valid_artifact_read_works": true
  },
  "outside_head": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET",
  "outside_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\\n  second line",
  "outside_chunk": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET",
  "outside_file_listed_by_artifact_list": false,
  "vulnerable": true
}

The PoV was rerun successfully after a fresh origin/main fetch; see evidence/pov-pypi-4.6.58-rerun.json.

The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.

Why This Is Not Intended Behavior

This report does not claim that every file-reading tool is automatically a vulnerability. The issue is narrower: tools documented and named as artifact helpers accept arbitrary host file paths.

The controls show the intended boundary:

  • a valid artifact stored under base_dir is readable;
  • an outside file is not returned by artifact_list();
  • the outside file is outside base_dir; and
  • the read helpers still disclose the outside file when handed its absolute path.

PraisonAI's own context-security documentation recommends relative paths and reviewing ignore rules to avoid sensitive-file exposure. Those controls are bypassed when artifact tools can be pointed directly at any readable host path.

Impact

If a PraisonAI application exposes an agent with ctx.get_tools() to untrusted or lower-trust prompts, the lower-trust caller can request artifact tools against arbitrary local paths. This can disclose sensitive host files readable by the PraisonAI process, including:

  • project .env files;
  • cloud or service credentials;
  • SSH keys;
  • local application configuration;
  • source files and private data; and
  • terminal/history artifacts from other runs if the path is known or guessed.

The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.

Duplicate Posture

I checked visible PraisonAI advisories and local prior PraisonAI submissions. This is distinct from nearby file-read/file-write issues:

  • GHSA-9cr9-25q5-8prj / CVE-2026-47394 covers MCP CLI workflow.show, workflow.validate, and deploy.validate path handling. This report covers Dynamic Context Discovery artifact tools in context/queue.py.
  • GHSA-hvhp-v2gc-268q / CVE-2026-47397 covers write_file arbitrary file write when workspace=None. This report is a read-only disclosure issue in artifact helper tools.
  • Public recipe registry path traversal advisories cover recipe publish/pull storage and extraction. This report does not involve the recipe registry.
  • Local prior submissions in this harness do not cover artifact_head, artifact_tail, artifact_grep, artifact_chunk, or FileSystemArtifactStore path containment.

Severity

Suggested severity: High.

Suggested CVSS v3.1:

Rationale:

  • AV: applies when an application exposes a PraisonAI agent over a network chat/API surface, which is a documented PraisonAI deployment pattern.
  • AC: no race, special environment, or complex path manipulation is required; an absolute readable path is sufficient.
  • PR: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this as PR:L.
  • UI: the attacker directly supplies the prompt/tool argument to the exposed agent surface.
  • C: arbitrary readable host files can contain secrets or private data.
  • I/A: this report demonstrates read-only disclosure.

Remediation

Do not let artifact tools open arbitrary paths. Prefer stable artifact IDs over raw filesystem paths in tool arguments.

Recommended fixes:

  1. Change tool schemas to accept artifact_id plus optional run_id and agent_id, then resolve those through the artifact store's metadata/index.
  2. If path arguments must remain for compatibility, resolve the path with Path(path).resolve() and reject it unless it is under artifact_store.base_dir.resolve().
  3. Require a valid artifact metadata sidecar for read helpers. Files not created by FileSystemArtifactStore.store() should not be readable through artifact tools.
  4. Apply the same containment check to load(), head(), tail(), grep(), chunk(), and delete().
  5. Avoid returning absolute host paths in prompt-visible artifact references when an opaque artifact ID would suffice.

Minimal containment helper:

def _resolve_artifact_path(self, path: str) -> Path:
    resolved = Path(path).expanduser().resolve()
    base = self.base_dir.resolve()
    try:
        resolved.relative_to(base)
    except ValueError as exc:
        raise PermissionError("Artifact path is outside artifact storage") from exc
    return resolved

This helper should be paired with metadata-sidecar validation so arbitrary non-artifact files placed under the base directory are not automatically treated as valid artifacts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.1"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage\n\n## Summary\n\nPraisonAI\u0027s Dynamic Context Discovery feature exposes artifact helper tools\nthrough `ctx.get_tools()`:\n\n```python\nctx = setup_dynamic_context()\n\nagent = Agent(\n    instructions=\"You are a data analyst.\",\n    tools=ctx.get_tools(),\n    hooks=[ctx.get_middleware()],\n)\n```\n\nThe official documentation describes these helpers as a way for the agent to\nexplore large tool-output artifacts that were queued by the middleware:\n\n- large tool outputs are saved as artifacts;\n- the agent receives compact artifact references; and\n- the agent uses `artifact_tail` and `artifact_grep` to explore that data.\n\nThe implemented artifact tools do not enforce that the supplied\n`artifact_path` is an artifact created by the configured store or that it lives\nunder the configured artifact base directory. Instead, `artifact_head`,\n`artifact_tail`, `artifact_grep`, and `artifact_chunk` wrap the caller-supplied\npath directly into an `ArtifactRef` and then read it from the host filesystem.\n\nAs a result, any prompt/user/tool-caller that can influence those tool\narguments can read files readable by the PraisonAI process, such as project\n`.env` files, cloud credentials, SSH keys, source files, or other local data.\n\n## Affected Product\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `pip`\n- Package: `praisonai`\n- Component: Dynamic Context Discovery artifact tools\n- Current source path: `src/praisonai/praisonai/context/queue.py`\n- Artifact store path: `src/praisonai/praisonai/context/artifact_store.py`\n- Latest PyPI version validated: `4.6.58`\n- Current `origin/main` validated:\n  `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- Current `origin/main` tag validated: `v4.6.58`\n\nSuggested affected range:\n\n```text\npip:praisonai \u003e= 3.8.1, \u003c= 4.6.58\n```\n\nRepresentative local sweep:\n\n- `3.8.1`: vulnerable\n- `4.0.0`: vulnerable\n- `4.5.113`: vulnerable\n- `4.6.33`: vulnerable\n- `4.6.34`: vulnerable\n- `4.6.40`: vulnerable\n- `4.6.50`: vulnerable\n- `4.6.58`: vulnerable\n\n## Root Cause\n\n`create_artifact_tools()` creates an artifact store bound to `base_dir`, but the\nread tools do not use `base_dir` for containment.\n\nFor example, `artifact_head()` accepts `artifact_path` and immediately creates\nan `ArtifactRef` with that path:\n\n```python\ndef artifact_head(artifact_path: str, lines: int = 50) -\u003e str:\n    ref = ArtifactRef(path=artifact_path, summary=\"\", size_bytes=0)\n    try:\n        return artifact_store.head(ref, lines=lines)\n    except FileNotFoundError:\n        return f\"Error: Artifact not found: {artifact_path}\"\n```\n\n`artifact_tail()`, `artifact_grep()`, and `artifact_chunk()` have the same\npattern. They trust the caller-supplied path rather than resolving it through\nan artifact identifier, store lookup, manifest, or base-directory containment\ncheck.\n\nThe store methods then read that path directly:\n\n```python\ndef head(self, ref: ArtifactRef, lines: int = 50) -\u003e str:\n    file_path = Path(ref.path)\n    if not file_path.exists():\n        raise FileNotFoundError(f\"Artifact not found: {ref.path}\")\n\n    result_lines = []\n    with open(file_path, \"r\", encoding=\"utf-8\", errors=\"replace\") as f:\n        ...\n```\n\nThere is no check equivalent to:\n\n```python\nresolved = Path(ref.path).resolve()\nbase = self.base_dir.resolve()\nresolved.relative_to(base)\n```\n\nThere is also no check that the file has a valid `.meta` sidecar or appears in\n`artifact_list()`.\n\n## Local PoV\n\nRun against the latest PyPI package:\n\n```bash\nuv run --with \u0027praisonai==4.6.58\u0027 \\\n  python poc/pov_prai_cand_026_artifact_tools_arbitrary_file_read.py --json\n```\n\nThe PoV:\n\n1. Creates a temporary artifact base directory.\n2. Creates a separate `outside-secret.txt` file outside that base directory.\n3. Stores one legitimate artifact through `FileSystemArtifactStore.store()`.\n4. Calls `artifact_head()` on the legitimate artifact as a positive control.\n5. Calls `artifact_head()`, `artifact_grep()`, and `artifact_chunk()` on the\n   outside file path.\n6. Confirms `artifact_list()` does not list the outside file.\n\nObserved output summary from `evidence/pov-pypi-4.6.58.json`:\n\n```json\n{\n  \"package\": \"praisonai\",\n  \"package_version\": \"4.6.58\",\n  \"controls\": {\n    \"outside_file_not_listed\": true,\n    \"outside_file_outside_base_dir\": true,\n    \"valid_artifact_read_works\": true\n  },\n  \"outside_head\": \"PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\",\n  \"outside_grep\": \"Found 1 matches:\\\\n\\\\n--- Line 1 ---\\\\n\u003e PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\\\\n  second line\",\n  \"outside_chunk\": \"PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\",\n  \"outside_file_listed_by_artifact_list\": false,\n  \"vulnerable\": true\n}\n```\n\nThe PoV was rerun successfully after a fresh `origin/main` fetch; see\n`evidence/pov-pypi-4.6.58-rerun.json`.\n\nThe PoV is local-only. It does not start a server, contact a third-party\ntarget, or use real credentials.\n\n## Why This Is Not Intended Behavior\n\nThis report does not claim that every file-reading tool is automatically a\nvulnerability. The issue is narrower: tools documented and named as artifact\nhelpers accept arbitrary host file paths.\n\nThe controls show the intended boundary:\n\n- a valid artifact stored under `base_dir` is readable;\n- an outside file is not returned by `artifact_list()`;\n- the outside file is outside `base_dir`; and\n- the read helpers still disclose the outside file when handed its absolute\n  path.\n\nPraisonAI\u0027s own context-security documentation recommends relative paths and\nreviewing ignore rules to avoid sensitive-file exposure. Those controls are\nbypassed when artifact tools can be pointed directly at any readable host path.\n\n## Impact\n\nIf a PraisonAI application exposes an agent with `ctx.get_tools()` to\nuntrusted or lower-trust prompts, the lower-trust caller can request artifact\ntools against arbitrary local paths. This can disclose sensitive host files\nreadable by the PraisonAI process, including:\n\n- project `.env` files;\n- cloud or service credentials;\n- SSH keys;\n- local application configuration;\n- source files and private data; and\n- terminal/history artifacts from other runs if the path is known or guessed.\n\nThe impact is confidentiality-only in the tested surface. Integrity and\navailability are not claimed for this report.\n\n## Duplicate Posture\n\nI checked visible PraisonAI advisories and local prior PraisonAI submissions.\nThis is distinct from nearby file-read/file-write issues:\n\n- `GHSA-9cr9-25q5-8prj` / `CVE-2026-47394` covers MCP CLI\n  `workflow.show`, `workflow.validate`, and `deploy.validate` path handling.\n  This report covers Dynamic Context Discovery artifact tools in\n  `context/queue.py`.\n- `GHSA-hvhp-v2gc-268q` / `CVE-2026-47397` covers `write_file` arbitrary file\n  write when `workspace=None`. This report is a read-only disclosure issue in\n  artifact helper tools.\n- Public recipe registry path traversal advisories cover recipe publish/pull\n  storage and extraction. This report does not involve the recipe registry.\n- Local prior submissions in this harness do not cover `artifact_head`,\n  `artifact_tail`, `artifact_grep`, `artifact_chunk`, or\n  `FileSystemArtifactStore` path containment.\n\n## Severity\n\nSuggested severity: High.\n\nSuggested CVSS v3.1:\n\nRationale:\n\n- `AV`: applies when an application exposes a PraisonAI agent over a network\n  chat/API surface, which is a documented PraisonAI deployment pattern.\n- `AC`: no race, special environment, or complex path manipulation is\n  required; an absolute readable path is sufficient.\n- `PR`: an unauthenticated or public-facing agent endpoint can be exploited\n  without an account. Deployments that require authenticated chat/API access\n  may score this as `PR:L`.\n- `UI`: the attacker directly supplies the prompt/tool argument to the\n  exposed agent surface.\n- `C`: arbitrary readable host files can contain secrets or private data.\n- `I/A`: this report demonstrates read-only disclosure.\n\n## Remediation\n\nDo not let artifact tools open arbitrary paths. Prefer stable artifact IDs over\nraw filesystem paths in tool arguments.\n\nRecommended fixes:\n\n1. Change tool schemas to accept `artifact_id` plus optional `run_id` and\n   `agent_id`, then resolve those through the artifact store\u0027s metadata/index.\n2. If path arguments must remain for compatibility, resolve the path with\n   `Path(path).resolve()` and reject it unless it is under\n   `artifact_store.base_dir.resolve()`.\n3. Require a valid artifact metadata sidecar for read helpers. Files not\n   created by `FileSystemArtifactStore.store()` should not be readable through\n   artifact tools.\n4. Apply the same containment check to `load()`, `head()`, `tail()`, `grep()`,\n   `chunk()`, and `delete()`.\n5. Avoid returning absolute host paths in prompt-visible artifact references\n   when an opaque artifact ID would suffice.\n\nMinimal containment helper:\n\n```python\ndef _resolve_artifact_path(self, path: str) -\u003e Path:\n    resolved = Path(path).expanduser().resolve()\n    base = self.base_dir.resolve()\n    try:\n        resolved.relative_to(base)\n    except ValueError as exc:\n        raise PermissionError(\"Artifact path is outside artifact storage\") from exc\n    return resolved\n```\n\nThis helper should be paired with metadata-sidecar validation so arbitrary\nnon-artifact files placed under the base directory are not automatically\ntreated as valid artifacts.",
  "id": "GHSA-j7qx-p75m-wp7g",
  "modified": "2026-06-18T13:52:51Z",
  "published": "2026-06-18T13:52:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-j7qx-p75m-wp7g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…