What happened
PraisonAI's MultiAgentMonitor component fails to sanitize agent IDs when constructing file paths. An attacker can include ../ traversal sequences in an agent ID to read sensitive configuration files, write backdoors, or overwrite critical files, enabling information disclosure, denial of service, or code execution. Published 2026-06-18, CVSS 8.8 HIGH.
Why it matters
In multi-agent AI frameworks, file-path operations are frequently used to persist agent state, logs, and configuration. A traversal primitive in the monitoring layer gives attackers a write-anywhere capability on the AI agent host, enabling persistent compromise of the agent runtime environment.
Attack vector
Attacker supplies an agent ID containing path traversal sequences (e.g. ../../etc/passwd) to the MultiAgentMonitor component. The component builds file paths by concatenating the attacker-controlled agent ID without sanitization, allowing reads, writes, or overwrites of any file accessible to the process.
Affected systems
PraisonAI < 1.5.115
Mitigation
Upgrade to PraisonAI 1.5.115 or later. Advisory: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744