CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-61432

mediumCVSS 5.7covered by 1 sourcefirst seen 2026-07-10
PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither rejects absolute paths nor canonicalizes joined paths before enforcing workspace containment. As a result, tool arguments or model-generated function calls to grep_search, glob_search, read_file, or list_directory can supply absolute paths or '../' traversal sequences to read, search, and enumerate files outside the intended workspace directory, with file contents returned to the caller or injected into the model's tool-result context.

⚡ Watch CVE-2026-61432

Get an email if CVE-2026-61432 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-61432

CVE.org record

Embed the live status

CVE-2026-61432 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-61432 status](https://www.csirts.com/badge/CVE-2026-61432)](https://www.csirts.com/cve/CVE-2026-61432)