CVE-2026-35615

CRITICAL SEVERITY

Vulnerability Description

PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is fixed in 1.5.113.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 09, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

pip

Product

PraisonAI

External References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5
https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113
https://github.com/advisories/GHSA-693f-pf34-72c5

CVE-2026-35615

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment