{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40117", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.537Z", "datePublished": "2026-04-09T21:21:28.463Z", "dateUpdated": "2026-04-10T18:14:21.572Z"}, "containers": {"cna": {"title": "PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"version": "< 1.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:21:28.463Z"}, "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128."}], "source": {"advisory": "GHSA-grrg-5cg9-58pf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:14:12.343930Z", "id": "CVE-2026-40117", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:14:21.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40117", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:14:12.343930Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:14:17.768Z"}}], "cna": {"title": "PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate", "source": {"advisory": "GHSA-grrg-5cg9-58pf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"status": "affected", "version": "< 1.5.128"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:21:28.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40117", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:14:21.572Z", "dateReserved": "2026-04-09T01:41:38.537Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:21:28.463Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128."}], "id": "CVE-2026-40117", "lastModified": "2026-04-09T22:16:35.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:35.447", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAIAgents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T22:40:25.543361+00:00", "value": {"mitigation_remediation": ["Update PraisonAIAgents to version 1.5.128 or newer", "Restrict or sanitize prompt inputs to prevent prompt injection into agents", "Enable audit logging for file access by agents and review logs for anomalous activity"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized File Read"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PraisonAIAgents product by MervinPraison. All instances running a version earlier than 1.5.128 are susceptible to arbitrary file reads through the unprotected read_skill_file() routine.", "description_and_impact": "The read_skill_file() function in PraisonAIAgents accepts a skill_path parameter without any restriction. Unlike other file access helpers, it does not enforce a workspace boundary or require an approval gate. As a result, an attacker who can influence an agent\u2019s prompt can supply a crafted path and exfiltrate arbitrary files from the host filesystem. This flaw leads to a confidentiality breach but does not directly impact availability or integrity of the system.", "risk_and_exploitability": "The CVSS score of 6.2 indicates moderate severity. The EPSS score is not available, so the current exploit probability is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw requires an attacker to inject a prompt that reaches the agent, the attack vector is likely local or within an environment where prompt injection is possible; it is inferred that remote exploitation would depend on additional interfaces that accept untrusted prompts."}}}}, "created": "2026-04-10T08:38:11.368370+00:00", "updated": "2026-04-10T09:28:53.919779+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonaiagents"]}