External risk intelligence

PraisonAI can be tricked into running any code on your systems, potentially exposing sensitive files and admin control.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-44336

A critical flaw in PraisonAI allows unauthorized users to write files anywhere on your system, potentially leading to code execution and access to sensitive data. Upgrade PraisonAI to version 4.6.34 or newer immediately.

2Halo Surface Signal

Path Traversal

Praisonai

before 4.6.34

External exposure likelihood

Halo Surface Signal score for CVE-2026-44336

The vulnerability affects an MCP (Model Context Protocol) server, which is typically a local or internal-facing component used to integrate AI clients with tools. While network reachability is possible in custom configurations, these services are not standard internet-facing gateways or public applications, making broad public internet exposure uncommon.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in PraisonAI allows an attacker to write arbitrary files on the system by manipulating file paths. This could lead to executing malicious code when the PraisonAI application or other Python processes are run.

  • Code execution is possible.
  • Affects users running the PraisonAI MCP server.
  • A patched version is available.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a PraisonAI MCP server into writing a malicious file to the server's file system. By crafting a request to write a `.pth` file to a specific location, an attacker can achieve arbitrary code execution when the user's Python environment loads the malicious file.

  • Targets PraisonAI MCP server.
  • Requires user to trigger a tool call.
  • Can execute arbitrary Python code.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to write arbitrary files by manipulating file path arguments within the PraisonAI MCP server. This could lead to arbitrary code execution by placing a malicious `.pth` file in a Python site-packages directory, impacting subsequent Python processes. The patch is available in version 4.6.34.

  • Affects PraisonAI MCP server.
  • Allows arbitrary file write.
  • Path traversal to code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize upgrading PraisonAI to version 4.6.34 or later to address the arbitrary file write vulnerability. If immediate patching is not feasible, isolate the PraisonAI MCP server to prevent potential code execution. Monitor network traffic for unusual PraisonAI MCP server activity.

  • Upgrade PraisonAI to 4.6.34+.
  • Isolate PraisonAI MCP servers.
  • Monitor for suspicious MCP activity.

Frequently asked questions

What is PraisonAI and its MCP server's function?

PraisonAI is a system for multi-agent teams. Its MCP (Model Context Protocol) server, launched with `praisonai mcp serve`, centralizes task management, tool registration, and context handling for these AI agents.

How does CVE-2026-44336 lead to arbitrary code execution?

CVE-2026-44336 is a path traversal (CWE-22) and improper input validation (CWE-20) vulnerability in PraisonAI's MCP server. An attacker can trick the server into writing files outside its designated directory, such as placing a malicious `.pth` file in Python's site-packages, enabling arbitrary code execution in subsequent Python processes.

What is the trigger path for arbitrary file writes in PraisonAI?

An attacker can exploit this by providing manipulated file path arguments, like `../../<some-path>`, to the MCP server's file-handling tools. This allows the server to write files outside the intended `~/.praison/rules/` directory, bypassing containment checks.

What is the relevance of CVE-2026-44336 to system security?

This vulnerability allows an attacker to achieve arbitrary code execution by placing a malicious `.pth` file in a Python site-packages directory via path traversal. This impacts any subsequent Python process launched by the user, including CLI invocations, IDE scripts, or background services.

What steps should be taken to address the PraisonAI vulnerability?

It is recommended to upgrade PraisonAI to version 4.6.34 or later. If immediate patching is not possible, isolate the PraisonAI MCP server and monitor its network traffic for any unusual activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified