CVE-2026-60089: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in MervinPraison PraisonAI
PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.
AI Analysis
Technical Summary
CVE-2026-60089 describes a path traversal vulnerability in MervinPraison's PraisonAI (pip package praisonaiagents) prior to version 1.6.78. The software automatically loads defaults from a project-local .praisonai/config.toml file when constructing an Agent, but does not validate the 'defaults.output.output_file' path. This allows an attacker controlling the repository to set this path to an absolute or directory-traversal value. If the developer calls agent.start() without specifying an output parameter, PraisonAI writes the agent response to the attacker-controlled path, creating parent directories as needed. This can lead to overwriting files outside the project root with the privileges of the user running PraisonAI.
Potential Impact
An attacker who can control the project-local configuration file can cause PraisonAI to overwrite arbitrary files on the filesystem with the privileges of the user running the software. This can lead to unauthorized modification or destruction of files outside the intended directory, potentially compromising system integrity or causing denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid running PraisonAI with untrusted project-local configuration files or explicitly specify safe output paths when calling agent.start().
CVE-2026-60089: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in MervinPraison PraisonAI
Description
PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.
CVSS v4.0
Score 6.9medium
Affected software
pkg:github/mervinpraison/PraisonAIRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-60089 describes a path traversal vulnerability in MervinPraison's PraisonAI (pip package praisonaiagents) prior to version 1.6.78. The software automatically loads defaults from a project-local .praisonai/config.toml file when constructing an Agent, but does not validate the 'defaults.output.output_file' path. This allows an attacker controlling the repository to set this path to an absolute or directory-traversal value. If the developer calls agent.start() without specifying an output parameter, PraisonAI writes the agent response to the attacker-controlled path, creating parent directories as needed. This can lead to overwriting files outside the project root with the privileges of the user running PraisonAI.
Potential Impact
An attacker who can control the project-local configuration file can cause PraisonAI to overwrite arbitrary files on the filesystem with the privileges of the user running the software. This can lead to unauthorized modification or destruction of files outside the intended directory, potentially compromising system integrity or causing denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid running PraisonAI with untrusted project-local configuration files or explicitly specify safe output paths when calling agent.start().
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-08T12:14:28.344Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a51062b68715ace43b8482d
Added to database: 07/10/2026, 14:48:11 UTC
Last enriched: 07/10/2026, 15:04:03 UTC
Last updated: 07/10/2026, 15:51:55 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.