CVE-2026-40117: PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate

April 10, 2026

read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt.

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf
github.com/advisories/GHSA-grrg-5cg9-58pf
nvd.nist.gov/vuln/detail/CVE-2026-40117

Code Behaviors & Features

Detect and mitigate CVE-2026-40117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →