CVE-2026-44340 - PraisonAI recipe symlink extraction escape
PraisonAI’s _safe_extractall validated archive member names, but did not
validate symlink or hardlink targets and extracted tar members without a data
filter. A malicious .praison bundle could create a link inside the
destination directory that points outside it, then write through that link to an
attacker-chosen path.
This matters for agent supply chains because recipes are executable context: they come from registries, tutorials, shared bundles, and team workflows. The safe default is to treat recipe archives as untrusted input until extraction is contained and link members are blocked.
When to use it
Use this recipe when a repository, agent marketplace, PraisonAI deployment, or
recipe ingestion pipeline accepts .praison bundles or tar-based recipe
archives. It is aimed at source-code remediation, archive extraction hygiene,
agent supply-chain review, and audit evidence that recipe installs cannot write
outside the intended destination.
Inputs
- PraisonAI version, recipe ingestion code, archive extraction helper, marketplace/import workflow, and destination directory policy.
- Source paths that inspect tar members, symlinks, hardlinks, path traversal, overwrite behavior, file permissions, and post-extraction execution.
- Regression archives for symlinks, hardlinks, absolute paths,
..traversal, duplicate names, and expected reject/allow behavior using temporary dirs. - Boundary evidence for what recipe install can reach: workspace files, credentials, config directories, generated code, plugins, and startup hooks.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
PraisonAI |
<=4.6.36 |
4.6.37 |
Indicator-of-exposure
- The repo installs
PraisonAI <4.6.37. - Users run
praisonai recipe pull,praisonai recipe publish, orpraisonai recipe unpack. - The repository hosts a PraisonAI registry or processes uploaded
.praisonbundles. - Archive extraction code calls
tar.extractall(...)withoutfilter="data"or equivalent link handling.
Quick checks:
rg -n "PraisonAI|recipe pull|recipe publish|recipe unpack|_safe_extractall|tar\\.extractall|filter=\"data\"|\\.praison|issym\\(|islnk\\(" .
python -m pip show PraisonAI
pip freeze | rg -i "praisonai"
Remediation strategy
- Upgrade PraisonAI to
4.6.37+. - Use Python tar extraction filters that reject symlinks, hardlinks, device nodes, absolute paths, and escaping paths.
- If compatibility code is needed, explicitly reject links or validate resolved link targets before extraction.
- Extract untrusted recipe archives into a temporary directory with least privilege before promotion.
- Add tests with benign link members that prove extraction fails closed without writing outside the test destination.
The prompt
You are remediating CVE-2026-44340 in PraisonAI recipe archive extraction.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades PraisonAI, hardens recipe
archive extraction, refreshes generated artifacts, and adds containment
tests, or
- TRIAGE.md if this repository does not control an affected PraisonAI recipe
workflow.
## Rules
- Scope only CVE-2026-44340 and directly related archive extraction controls.
- Do not create payloads that overwrite real user files, SSH config, shell
profiles, cron, launch agents, site-packages, or project files outside a
temporary test directory.
- Do not run untrusted `.praison` bundles from external sources.
- Do not print or commit secrets from extracted archives or user directories.
- Do not auto-merge.
## Steps
1. Inventory PraisonAI dependencies, recipe commands, registry services,
archive upload paths, CI jobs, lockfiles, containers, docs, and examples.
2. Determine every resolved `PraisonAI` version. A target is vulnerable if it
resolves to `<4.6.37`.
3. Search local extraction code for `tar.extractall`, `_safe_extractall`,
`.praison`, `issym`, `islnk`, archive upload, recipe publish, and recipe
unpack logic.
4. Upgrade PraisonAI to `4.6.37+`. Regenerate lockfiles, images, SBOMs,
dependency reports, and docs.
5. If local archive code exists, implement fail-closed extraction:
- extract into a fresh temporary directory;
- reject absolute paths and `..` segments;
- reject symlink and hardlink members or validate resolved targets;
- use `filter="data"` or equivalent;
- promote files only after validation;
- run extraction as a least-privilege identity.
6. Add tests that include benign symlink/hardlink members and assert extraction
fails without writing outside the temporary directory.
7. Add a PR body section named `CVE-2026-44340 operator actions` covering:
affected recipe workflows, registries, historical bundles to quarantine,
cache cleanup, package versions, and whether any extracted artifacts need
rebuilding from trusted bundles.
8. Run validation: dependency install, archive tests, recipe pull/unpack tests
using safe fixtures, lint/typecheck, container build, SBOM refresh, and
dependency scan.
9. Use PR title:
`fix(sec): contain PraisonAI recipe extraction`.
## Stop conditions
- No affected PraisonAI recipe workflow is controlled by this repo.
- The repository only consumes externally managed recipe processing; document
the owner and version evidence in TRIAGE.md.
- Verification would require writing outside a temporary directory.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades PraisonAI, rejects link escape paths, uses safe tar extraction filters, adds containment tests, and documents cleanup for imported recipes.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, ingestion boundary, required fix, and residual supply-chain risk. - The output must include exact validation commands and must not overwrite real user files, install untrusted recipes, or execute imported recipe code.
Verification - what the reviewer looks for
PraisonAI >=4.6.37is resolved everywhere.- Archive extraction rejects symlinks, hardlinks, absolute paths, and escaping paths.
- Tests prove extraction does not write outside the destination.
- Registry/cache/operator guidance covers old bundles.
Watch for
- Reintroduced compatibility helpers that call
extractallwithout a filter. - Recipe publish paths that validate archives but leave registry-side extraction vulnerable.
- Containers or CI caches holding old PraisonAI versions.
Related recipes
- Source code supply chain build integrity audit
- Source code attack surface map
- Source code secrets and data exposure audit
- NIST SSDF repository evidence check