GHSA-j7qx-p75m-wp7g: PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage

PraisonAI’s Dynamic Context Discovery feature exposes artifact helper tools through ctx.get_tools():

ctx = setup_dynamic_context()

agent = Agent(
instructions="You are a data analyst.",
tools=ctx.get_tools(),
hooks=[ctx.get_middleware()],
)

The official documentation describes these helpers as a way for the agent to explore large tool-output artifacts that were queued by the middleware:

• large tool outputs are saved as artifacts;
• the agent receives compact artifact references; and
• the agent uses artifact_tail and artifact_grep to explore that data.

The implemented artifact tools do not enforce that the supplied artifact_path is an artifact created by the configured store or that it lives under the configured artifact base directory. Instead, artifact_head, artifact_tail, artifact_grep, and artifact_chunk wrap the caller-supplied path directly into an ArtifactRef and then read it from the host filesystem.

As a result, any prompt/user/tool-caller that can influence those tool arguments can read files readable by the PraisonAI process, such as project .env files, cloud credentials, SSH keys, source files, or other local data.