GHSA-29w3-p9w9-wc47: PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation

June 18, 2026

The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, user input in chat bots, or malicious YAML workflow configs) to read sensitive files (e.g., /etc/shadow, ~/.ssh/id_rsa, ~/.aws/credentials) and overwrite arbitrary files on the filesystem.

References

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-29w3-p9w9-wc47
github.com/advisories/GHSA-29w3-p9w9-wc47

Code Behaviors & Features

Detect and mitigate GHSA-29w3-p9w9-wc47 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →