{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40152", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.013Z", "datePublished": "2026-04-09T21:26:49.586Z", "dateUpdated": "2026-04-09T21:26:49.586Z"}, "containers": {"cna": {"title": "PraisonAIAgents has a Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"version": "< 1.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:26:49.586Z"}, "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's Path.glob() supports .. path segments, an attacker can use relative path traversal in the glob pattern to enumerate arbitrary files outside the workspace, obtaining file metadata (existence, name, size, timestamps) for any path on the filesystem. This vulnerability is fixed in 1.5.128."}], "source": {"advisory": "GHSA-7j2f-xc8p-fjmq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's Path.glob() supports .. path segments, an attacker can use relative path traversal in the glob pattern to enumerate arbitrary files outside the workspace, obtaining file metadata (existence, name, size, timestamps) for any path on the filesystem. This vulnerability is fixed in 1.5.128."}], "id": "CVE-2026-40152", "lastModified": "2026-04-09T22:16:36.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:36.193", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAIAgents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-10T00:05:43.546429+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAIAgents to version 1.5.128 or later", "Restrict access to list_files to authenticated and authorized users if the upgrade cannot be applied immediately", "If upgrade is not feasible, disable glob pattern support or manually enforce workspace boundary checks in the configuration", "Verify that the patch or configuration change is in place on all affected instances"], "summary": {"action": "Patch", "impact": "Unauthorized File Enumeration"}, "threat_synthesis": {"affected_systems": "The flaw affects all deployments of PraisonAIAgents distributed by MervinPraison with a version older than 1.5.128. The issue was fixed in release 1.5.128, so any installation newer than that version is not impacted. No other vendors or product variants are reported.", "description_and_impact": "PraisonAIAgents is a multi\u2011agent system that offers a list_files tool to enumerate files within a workspace. Prior to version 1.5.128, the tool validated the directory argument against workspace boundaries via an internal check, but it passed the user\u2011supplied glob pattern directly to Python\u2019s Path.glob() without validation. Because Path.glob() accepts parent path segments, an attacker can embed relative traversal components (..), allowing the enumeration of files outside the intended workspace. The exposed data \u2013 file names, sizes and timestamps \u2013 represents an information\u2011disclosure vulnerability (CWE\u201122) rather than a code\u2011execution flaw. The vulnerability therefore enables an attacker to discover the existence and characteristics of arbitrary filesystem objects without modifying them.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the ability to invoke the list_files function; if the API endpoint is reachable from the network, an attacker can supply a crafted glob pattern and trigger the flaw remotely. The impact is limited to file metadata disclosure, which can aid further attacks but does not allow direct code execution. Overall risk is moderate, warranting prompt remediation."}}}}, "created": "2026-04-10T08:38:02.239183+00:00", "updated": "2026-04-10T09:28:44.947346+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonaiagents"]}