CVE-2026-44336 - PraisonAI MCP tools/call path traversal RCE

PraisonAI’s MCP server registered file-handling tools by default and passed MCP tools/call arguments directly into handlers. Several handlers joined attacker-controlled path values onto user directories, or accepted absolute paths, without containment checks. A malicious MCP client or a prompt-injected LLM could write outside ~/.praison/rules/, read arbitrary files, delete files, and escalate a write primitive by planting a Python .pth file in a user site-packages directory.

This is a secure-context failure: tool schemas were advertised to the model but not enforced at dispatch, and “rule” tools became ambient filesystem authority.

When to use it

Use this recipe when a repository, PraisonAI deployment, or MCP server exposes default file tools through tools/call. It supports source-code remediation, MCP filesystem containment, path traversal review, and audit evidence that model-influenced tool calls cannot read/write outside approved roots or plant Python execution primitives.

Inputs

  • PraisonAI version, MCP file-tool registration, default enabled tools, filesystem roots, schemas, and deployment boundary.
  • Source paths for tools/call, file read/write/delete handlers, path joins, schema validation, .pth-relevant write locations, and error serialization.
  • Regression fixtures for absolute paths, .. traversal, symlinks, Python site package writes, valid allowed files, and disabled default file tools.
  • Runtime boundary evidence: user home paths, rules directories, Python import paths, credentials, generated files, and who can issue MCP tool calls.

Affected versions

Package Vulnerable versions Fixed versions
PraisonAI <=4.6.33 4.6.34

Indicator-of-exposure

  • The repo installs or launches PraisonAI <4.6.34.
  • praisonai mcp serve is used over stdio or HTTP-stream.
  • MCP tools include praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, or praisonai.workflow.show.
  • MCP clients can auto-approve those tools or feed them with content from web pages, tickets, docs, email, RAG corpora, or user-supplied files.
  • The PraisonAI process can read secrets, write user config, write site-packages, or access other MCP client config files.

Quick checks:

rg -n "praisonai|praisonai mcp serve|praisonai\\.rules\\.|praisonai\\.workflow\\.show|tools/call|http-stream|\\.pth|site-packages" .
python -m pip show PraisonAI praisonaiagents
pip freeze | rg -i "praisonai"

Remediation strategy

  • Upgrade PraisonAI to 4.6.34+ everywhere the repository controls runtime, image, lockfile, notebook, agent host, or MCP server setup.
  • Remove default registration of filesystem tools unless a human intentionally opts in with a constrained workspace root.
  • Enforce JSON Schema for MCP tool arguments before dispatch.
  • Reject absolute paths, .. segments, symlinks, and paths escaping the configured workspace root. Resolve paths before open/write/delete.
  • Require API keys for HTTP-stream transport and fail closed for non-loopback binds.
  • Rotate secrets if a vulnerable MCP server ran with access to MCP configs, SSH keys, cloud credentials, model provider tokens, source workspaces, or package credentials.

The prompt

You are remediating CVE-2026-44336 in PraisonAI MCP filesystem tools.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades PraisonAI, removes or gates
  unsafe MCP filesystem tools, enforces argument schemas and path containment,
  refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected PraisonAI MCP runtime
  or cannot safely patch it.

## Rules

- Scope only CVE-2026-44336 and directly related MCP filesystem, schema, and
  transport hardening.
- Do not create `.pth` payloads, persistence files, authorized_keys entries,
  shell profile changes, launch agents, cron jobs, or destructive delete tests.
- Do not read, print, copy, or commit secrets, SSH keys, MCP client configs,
  cloud credentials, browser profiles, environment files, or source archives.
- Do not leave filesystem MCP tools enabled by default for untrusted model
  output.
- Do not auto-merge.

## Steps

1. Inventory all PraisonAI package references, lockfiles, containers, notebooks,
   CLI wrappers, MCP server configs, Desktop/Cursor/Continue/Claude Code config,
   docs, and deployment manifests controlled by this repository.
2. Determine every resolved `PraisonAI` version. A target is vulnerable if it
   resolves to `<4.6.34`.
3. Search for `praisonai mcp serve`, `http-stream`, `tools/call`,
   `praisonai.rules.*`, `praisonai.workflow.show`, and any auto-approval rules
   for PraisonAI tools.
4. Upgrade `PraisonAI` to `4.6.34+`. Regenerate lockfiles, images, SBOMs,
   dependency reports, generated MCP manifests, and docs.
5. If the repository owns wrappers or a fork, implement fail-closed MCP
   filesystem policy:
   - no filesystem tools registered by default;
   - explicit workspace root required;
   - `Path.resolve()` containment checks before read/write/delete;
   - absolute paths and `..` segments rejected;
   - symlink escapes rejected;
   - JSON Schema validation rejects unknown or mistyped arguments.
6. Harden transport:
   - HTTP-stream requires an API key;
   - non-loopback bind fails without an explicit config and auth;
   - MCP clients cannot auto-approve filesystem writes or deletes by default.
7. Add safe tests that use harmless temporary directories and assert traversal
   attempts are rejected. Do not write outside the test temp directory.
8. Add a PR body section named `CVE-2026-44336 operator actions` covering:
   versions before/after, MCP tools found, client configs to review,
   filesystem scope before/after, affected users/hosts, and credentials that
   should be rotated if exposure was plausible.
9. Run validation: dependency install, unit tests, MCP schema/path tests,
   lint/typecheck, container build, SBOM refresh, dependency scan, and any
   policy checks in the repo.
10. Use PR title:
    `fix(sec): contain PraisonAI MCP filesystem tools`.

## Stop conditions

- No controlled runtime uses PraisonAI MCP.
- All controlled targets already resolve `PraisonAI >=4.6.34` and generated
  artifacts are current.
- The product intentionally exposes filesystem MCP tools to untrusted model
  output; document the owner decision and safer design in TRIAGE.md.
- Verification would require reading secrets, planting persistence, or running
  a code-execution payload.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades PraisonAI, disables default file tools where appropriate, enforces schemas/root containment, adds traversal/RCE regression tests, and documents cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, MCP file-tool boundary, writable paths, required fix, and residual risk.
  • The output must include exact validation commands and must not write to real home directories, plant .pth files, execute code, or expose secrets.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, notebook, or MCP setup resolves PraisonAI <4.6.34.
  • Filesystem tools are removed, opt-in only, or constrained to a reviewed workspace root.
  • MCP argument schemas are enforced before dispatch.
  • Tests prove traversal and absolute-path inputs fail closed without touching real user files.
  • Operator actions cover MCP client configs and credential rotation.

Watch for

  • Stdio MCP deployments where prompt injection can still call filesystem tools even without HTTP exposure.
  • Auto-approval rules that treat “rules.create” as low-risk.
  • Examples, templates, or desktop configs that keep vulnerable PraisonAI MCP servers installed after package upgrades.

References