CVE-2026-44340 - PraisonAI recipe symlink extraction escape

PraisonAI’s _safe_extractall validated archive member names, but did not validate symlink or hardlink targets and extracted tar members without a data filter. A malicious .praison bundle could create a link inside the destination directory that points outside it, then write through that link to an attacker-chosen path.

This matters for agent supply chains because recipes are executable context: they come from registries, tutorials, shared bundles, and team workflows. The safe default is to treat recipe archives as untrusted input until extraction is contained and link members are blocked.

When to use it

Use this recipe when a repository, agent marketplace, PraisonAI deployment, or recipe ingestion pipeline accepts .praison bundles or tar-based recipe archives. It is aimed at source-code remediation, archive extraction hygiene, agent supply-chain review, and audit evidence that recipe installs cannot write outside the intended destination.

Inputs

  • PraisonAI version, recipe ingestion code, archive extraction helper, marketplace/import workflow, and destination directory policy.
  • Source paths that inspect tar members, symlinks, hardlinks, path traversal, overwrite behavior, file permissions, and post-extraction execution.
  • Regression archives for symlinks, hardlinks, absolute paths, .. traversal, duplicate names, and expected reject/allow behavior using temporary dirs.
  • Boundary evidence for what recipe install can reach: workspace files, credentials, config directories, generated code, plugins, and startup hooks.

Affected versions

Package Vulnerable versions Fixed versions
PraisonAI <=4.6.36 4.6.37

Indicator-of-exposure

  • The repo installs PraisonAI <4.6.37.
  • Users run praisonai recipe pull, praisonai recipe publish, or praisonai recipe unpack.
  • The repository hosts a PraisonAI registry or processes uploaded .praison bundles.
  • Archive extraction code calls tar.extractall(...) without filter="data" or equivalent link handling.

Quick checks:

rg -n "PraisonAI|recipe pull|recipe publish|recipe unpack|_safe_extractall|tar\\.extractall|filter=\"data\"|\\.praison|issym\\(|islnk\\(" .
python -m pip show PraisonAI
pip freeze | rg -i "praisonai"

Remediation strategy

  • Upgrade PraisonAI to 4.6.37+.
  • Use Python tar extraction filters that reject symlinks, hardlinks, device nodes, absolute paths, and escaping paths.
  • If compatibility code is needed, explicitly reject links or validate resolved link targets before extraction.
  • Extract untrusted recipe archives into a temporary directory with least privilege before promotion.
  • Add tests with benign link members that prove extraction fails closed without writing outside the test destination.

The prompt

You are remediating CVE-2026-44340 in PraisonAI recipe archive extraction.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades PraisonAI, hardens recipe
  archive extraction, refreshes generated artifacts, and adds containment
  tests, or
- TRIAGE.md if this repository does not control an affected PraisonAI recipe
  workflow.

## Rules

- Scope only CVE-2026-44340 and directly related archive extraction controls.
- Do not create payloads that overwrite real user files, SSH config, shell
  profiles, cron, launch agents, site-packages, or project files outside a
  temporary test directory.
- Do not run untrusted `.praison` bundles from external sources.
- Do not print or commit secrets from extracted archives or user directories.
- Do not auto-merge.

## Steps

1. Inventory PraisonAI dependencies, recipe commands, registry services,
   archive upload paths, CI jobs, lockfiles, containers, docs, and examples.
2. Determine every resolved `PraisonAI` version. A target is vulnerable if it
   resolves to `<4.6.37`.
3. Search local extraction code for `tar.extractall`, `_safe_extractall`,
   `.praison`, `issym`, `islnk`, archive upload, recipe publish, and recipe
   unpack logic.
4. Upgrade PraisonAI to `4.6.37+`. Regenerate lockfiles, images, SBOMs,
   dependency reports, and docs.
5. If local archive code exists, implement fail-closed extraction:
   - extract into a fresh temporary directory;
   - reject absolute paths and `..` segments;
   - reject symlink and hardlink members or validate resolved targets;
   - use `filter="data"` or equivalent;
   - promote files only after validation;
   - run extraction as a least-privilege identity.
6. Add tests that include benign symlink/hardlink members and assert extraction
   fails without writing outside the temporary directory.
7. Add a PR body section named `CVE-2026-44340 operator actions` covering:
   affected recipe workflows, registries, historical bundles to quarantine,
   cache cleanup, package versions, and whether any extracted artifacts need
   rebuilding from trusted bundles.
8. Run validation: dependency install, archive tests, recipe pull/unpack tests
   using safe fixtures, lint/typecheck, container build, SBOM refresh, and
   dependency scan.
9. Use PR title:
   `fix(sec): contain PraisonAI recipe extraction`.

## Stop conditions

- No affected PraisonAI recipe workflow is controlled by this repo.
- The repository only consumes externally managed recipe processing; document
  the owner and version evidence in TRIAGE.md.
- Verification would require writing outside a temporary directory.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades PraisonAI, rejects link escape paths, uses safe tar extraction filters, adds containment tests, and documents cleanup for imported recipes.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, ingestion boundary, required fix, and residual supply-chain risk.
  • The output must include exact validation commands and must not overwrite real user files, install untrusted recipes, or execute imported recipe code.

Verification - what the reviewer looks for

  • PraisonAI >=4.6.37 is resolved everywhere.
  • Archive extraction rejects symlinks, hardlinks, absolute paths, and escaping paths.
  • Tests prove extraction does not write outside the destination.
  • Registry/cache/operator guidance covers old bundles.

Watch for

  • Reintroduced compatibility helpers that call extractall without a filter.
  • Recipe publish paths that validate archives but leave registry-side extraction vulnerable.
  • Containers or CI caches holding old PraisonAI versions.

References