CVE-2026-44336 - PraisonAI MCP tools/call path traversal RCE
PraisonAI’s MCP server registered file-handling tools by default and passed MCP
tools/call arguments directly into handlers. Several handlers joined
attacker-controlled path values onto user directories, or accepted absolute
paths, without containment checks. A malicious MCP client or a prompt-injected
LLM could write outside ~/.praison/rules/, read arbitrary files, delete
files, and escalate a write primitive by planting a Python .pth file in a
user site-packages directory.
This is a secure-context failure: tool schemas were advertised to the model but not enforced at dispatch, and “rule” tools became ambient filesystem authority.
When to use it
Use this recipe when a repository, PraisonAI deployment, or MCP server exposes
default file tools through tools/call. It supports source-code remediation,
MCP filesystem containment, path traversal review, and audit evidence that
model-influenced tool calls cannot read/write outside approved roots or plant
Python execution primitives.
Inputs
- PraisonAI version, MCP file-tool registration, default enabled tools, filesystem roots, schemas, and deployment boundary.
- Source paths for
tools/call, file read/write/delete handlers, path joins, schema validation,.pth-relevant write locations, and error serialization. - Regression fixtures for absolute paths,
..traversal, symlinks, Python site package writes, valid allowed files, and disabled default file tools. - Runtime boundary evidence: user home paths, rules directories, Python import paths, credentials, generated files, and who can issue MCP tool calls.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
PraisonAI |
<=4.6.33 |
4.6.34 |
Indicator-of-exposure
- The repo installs or launches
PraisonAI <4.6.34. praisonai mcp serveis used over stdio or HTTP-stream.- MCP tools include
praisonai.rules.create,praisonai.rules.show,praisonai.rules.delete, orpraisonai.workflow.show. - MCP clients can auto-approve those tools or feed them with content from web pages, tickets, docs, email, RAG corpora, or user-supplied files.
- The PraisonAI process can read secrets, write user config, write site-packages, or access other MCP client config files.
Quick checks:
rg -n "praisonai|praisonai mcp serve|praisonai\\.rules\\.|praisonai\\.workflow\\.show|tools/call|http-stream|\\.pth|site-packages" .
python -m pip show PraisonAI praisonaiagents
pip freeze | rg -i "praisonai"
Remediation strategy
- Upgrade PraisonAI to
4.6.34+everywhere the repository controls runtime, image, lockfile, notebook, agent host, or MCP server setup. - Remove default registration of filesystem tools unless a human intentionally opts in with a constrained workspace root.
- Enforce JSON Schema for MCP tool arguments before dispatch.
- Reject absolute paths,
..segments, symlinks, and paths escaping the configured workspace root. Resolve paths before open/write/delete. - Require API keys for HTTP-stream transport and fail closed for non-loopback binds.
- Rotate secrets if a vulnerable MCP server ran with access to MCP configs, SSH keys, cloud credentials, model provider tokens, source workspaces, or package credentials.
The prompt
You are remediating CVE-2026-44336 in PraisonAI MCP filesystem tools.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades PraisonAI, removes or gates
unsafe MCP filesystem tools, enforces argument schemas and path containment,
refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected PraisonAI MCP runtime
or cannot safely patch it.
## Rules
- Scope only CVE-2026-44336 and directly related MCP filesystem, schema, and
transport hardening.
- Do not create `.pth` payloads, persistence files, authorized_keys entries,
shell profile changes, launch agents, cron jobs, or destructive delete tests.
- Do not read, print, copy, or commit secrets, SSH keys, MCP client configs,
cloud credentials, browser profiles, environment files, or source archives.
- Do not leave filesystem MCP tools enabled by default for untrusted model
output.
- Do not auto-merge.
## Steps
1. Inventory all PraisonAI package references, lockfiles, containers, notebooks,
CLI wrappers, MCP server configs, Desktop/Cursor/Continue/Claude Code config,
docs, and deployment manifests controlled by this repository.
2. Determine every resolved `PraisonAI` version. A target is vulnerable if it
resolves to `<4.6.34`.
3. Search for `praisonai mcp serve`, `http-stream`, `tools/call`,
`praisonai.rules.*`, `praisonai.workflow.show`, and any auto-approval rules
for PraisonAI tools.
4. Upgrade `PraisonAI` to `4.6.34+`. Regenerate lockfiles, images, SBOMs,
dependency reports, generated MCP manifests, and docs.
5. If the repository owns wrappers or a fork, implement fail-closed MCP
filesystem policy:
- no filesystem tools registered by default;
- explicit workspace root required;
- `Path.resolve()` containment checks before read/write/delete;
- absolute paths and `..` segments rejected;
- symlink escapes rejected;
- JSON Schema validation rejects unknown or mistyped arguments.
6. Harden transport:
- HTTP-stream requires an API key;
- non-loopback bind fails without an explicit config and auth;
- MCP clients cannot auto-approve filesystem writes or deletes by default.
7. Add safe tests that use harmless temporary directories and assert traversal
attempts are rejected. Do not write outside the test temp directory.
8. Add a PR body section named `CVE-2026-44336 operator actions` covering:
versions before/after, MCP tools found, client configs to review,
filesystem scope before/after, affected users/hosts, and credentials that
should be rotated if exposure was plausible.
9. Run validation: dependency install, unit tests, MCP schema/path tests,
lint/typecheck, container build, SBOM refresh, dependency scan, and any
policy checks in the repo.
10. Use PR title:
`fix(sec): contain PraisonAI MCP filesystem tools`.
## Stop conditions
- No controlled runtime uses PraisonAI MCP.
- All controlled targets already resolve `PraisonAI >=4.6.34` and generated
artifacts are current.
- The product intentionally exposes filesystem MCP tools to untrusted model
output; document the owner decision and safer design in TRIAGE.md.
- Verification would require reading secrets, planting persistence, or running
a code-execution payload.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades PraisonAI, disables default file tools where appropriate, enforces schemas/root containment, adds traversal/RCE regression tests, and documents cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, MCP file-tool boundary, writable paths, required fix, and residual risk. - The output must include exact validation commands and must not write to real
home directories, plant
.pthfiles, execute code, or expose secrets.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, notebook, or MCP setup resolves
PraisonAI <4.6.34. - Filesystem tools are removed, opt-in only, or constrained to a reviewed workspace root.
- MCP argument schemas are enforced before dispatch.
- Tests prove traversal and absolute-path inputs fail closed without touching real user files.
- Operator actions cover MCP client configs and credential rotation.
Watch for
- Stdio MCP deployments where prompt injection can still call filesystem tools even without HTTP exposure.
- Auto-approval rules that treat “rules.create” as low-risk.
- Examples, templates, or desktop configs that keep vulnerable PraisonAI MCP servers installed after package upgrades.
Related recipes
- Source code attack surface map
- Source code secrets and data exposure audit
- Source code injection sink audit
- SAST finding triage and fix