PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
📋 Description
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
Summary
PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools
through ctx.get_tools():
ctx = setup_dynamic_context()
agent = Agent(
instructions="You are a data analyst.",
tools=ctx.get_tools(),
hooks=[ctx.get_middleware()],
)
The official documentation describes these helpers as a way for the agent to explore large tool-output artifacts that were queued by the middleware:
- large tool outputs are saved as artifacts;
- the agent receives compact artifact references; and
- the agent uses
artifact_tailandartifact_grepto explore that data.
The implemented artifact tools do not enforce that the supplied
artifact_path is an artifact created by the configured store or that it lives
under the configured artifact base directory. Instead, artifact_head,
artifact_tail, artifact_grep, and artifact_chunk wrap the caller-supplied
path directly into an ArtifactRef and then read it from the host filesystem.
As a result, any prompt/user/tool-caller that can influence those tool
arguments can read files readable by the PraisonAI process, such as project
.env files, cloud credentials, SSH keys, source files, or other local data.
Affected Product
- Repository:
MervinPraison/PraisonAI - Ecosystem:
pip - Package:
praisonai - Component: Dynamic Context Discovery artifact tools
- Current source path:
src/praisonai/praisonai/context/queue.py - Artifact store path:
src/praisonai/praisonai/context/artifact_store.py - Latest PyPI version validated:
4.6.58 - Current
origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3e - Current
origin/maintag validated:v4.6.58
Suggested affected range:
pip:praisonai >= 3.8.1, <= 4.6.58
Representative local sweep:
3.8.1: vulnerable4.0.0: vulnerable4.5.113: vulnerable4.6.33: vulnerable4.6.34: vulnerable4.6.40: vulnerable4.6.50: vulnerable4.6.58: vulnerable
Root Cause
create_artifact_tools() creates an artifact store bound to base_dir, but the
read tools do not use base_dir for containment.
For example, artifact_head() accepts artifact_path and immediately creates
an ArtifactRef with that path:
def artifact_head(artifact_path: str, lines: int = 50) -> str:
ref = ArtifactRef(path=artifact_path, summary="", size_bytes=0)
try:
return artifact_store.head(ref, lines=lines)
except FileNotFoundError:
return f"Error: Artifact not found: {artifact_path}"
artifact_tail(), artifact_grep(), and artifact_chunk() have the same
pattern. They trust the caller-supplied path rather than resolving it through
an artifact identifier, store lookup, manifest, or base-directory containment
check.
The store methods then read that path directly:
def head(self, ref: ArtifactRef, lines: int = 50) -> str:
file_path = Path(ref.path)
if not file_path.exists():
raise FileNotFoundError(f"Artifact not found: {ref.path}")
result_lines = []
with open(file_path, "r", encoding="utf-8", errors="replace") as f:
...
There is no check equivalent to:
resolved = Path(ref.path).resolve()
base = self.base_dir.resolve()
resolved.relative_to(base)
There is also no check that the file has a valid .meta sidecar or appears in
artifact_list().
Local PoV
Run against the latest PyPI package:
uv run --with 'praisonai==4.6.58' \
python poc/pov_prai_cand_026_artifact_tools_arbitrary_file_read.py --json
The PoV:
- Creates a temporary artifact base directory.
- Creates a separate
outside-secret.txtfile outside that base directory. - Stores one legitimate artifact through
FileSystemArtifactStore.store(). - Calls
artifact_head()on the legitimate artifact as a positive control. - Calls
artifact_head(),artifact_grep(), andartifact_chunk()on the outside file path. - Confirms
artifact_list()does not list the outside file.
Observed output summary from evidence/pov-pypi-4.6.58.json:
{
"package": "praisonai",
"package_version": "4.6.58",
"controls": {
"outside_file_not_listed": true,
"outside_file_outside_base_dir": true,
"valid_artifact_read_works": true
},
"outside_head": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET",
"outside_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\\n second line",
"outside_chunk": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET",
"outside_file_listed_by_artifact_list": false,
"vulnerable": true
}
The PoV was rerun successfully after a fresh origin/main fetch; see
evidence/pov-pypi-4.6.58-rerun.json.
The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.
Why This Is Not Intended Behavior
This report does not claim that every file-reading tool is automatically a vulnerability. The issue is narrower: tools documented and named as artifact helpers accept arbitrary host file paths.
The controls show the intended boundary:
- a valid artifact stored under
base_diris readable; - an outside file is not returned by
artifact_list(); - the outside file is outside
base_dir; and - the read helpers still disclose the outside file when handed its absolute path.
PraisonAI's own context-security documentation recommends relative paths and reviewing ignore rules to avoid sensitive-file exposure. Those controls are bypassed when artifact tools can be pointed directly at any readable host path.
Impact
If a PraisonAI application exposes an agent with ctx.get_tools() to
untrusted or lower-trust prompts, the lower-trust caller can request artifact
tools against arbitrary local paths. This can disclose sensitive host files
readable by the PraisonAI process, including:
- project
.envfiles; - cloud or service credentials;
- SSH keys;
- local application configuration;
- source files and private data; and
- terminal/history artifacts from other runs if the path is known or guessed.
The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.
Duplicate Posture
I checked visible PraisonAI advisories and local prior PraisonAI submissions. This is distinct from nearby file-read/file-write issues:
GHSA-9cr9-25q5-8prj/CVE-2026-47394covers MCP CLIworkflow.show,workflow.validate, anddeploy.validatepath handling. This report covers Dynamic Context Discovery artifact tools incontext/queue.py.GHSA-hvhp-v2gc-268q/CVE-2026-47397coverswrite_filearbitrary file write whenworkspace=None. This report is a read-only disclosure issue in artifact helper tools.- Public recipe registry path traversal advisories cover recipe publish/pull storage and extraction. This report does not involve the recipe registry.
- Local prior submissions in this harness do not cover
artifact_head,artifact_tail,artifact_grep,artifact_chunk, orFileSystemArtifactStorepath containment.
Severity
Suggested severity: High.
Suggested CVSS v3.1:
Rationale:
AV: applies when an application exposes a PraisonAI agent over a network chat/API surface, which is a documented PraisonAI deployment pattern.AC: no race, special environment, or complex path manipulation is required; an absolute readable path is sufficient.PR: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this asPR:L.UI: the attacker directly supplies the prompt/tool argument to the exposed agent surface.C: arbitrary readable host files can contain secrets or private data.I/A: this report demonstrates read-only disclosure.
Remediation
Do not let artifact tools open arbitrary paths. Prefer stable artifact IDs over raw filesystem paths in tool arguments.
Recommended fixes:
- Change tool schemas to accept
artifact_idplus optionalrun_idandagent_id, then resolve those through the artifact store's metadata/index. - If path arguments must remain for compatibility, resolve the path with
Path(path).resolve()and reject it unless it is underartifact_store.base_dir.resolve(). - Require a valid artifact metadata sidecar for read helpers. Files not
created by
FileSystemArtifactStore.store()should not be readable through artifact tools. - Apply the same containment check to
load(),head(),tail(),grep(),chunk(), anddelete(). - Avoid returning absolute host paths in prompt-visible artifact references when an opaque artifact ID would suffice.
Minimal containment helper:
def _resolve_artifact_path(self, path: str) -> Path:
resolved = Path(path).expanduser().resolve()
base = self.base_dir.resolve()
try:
resolved.relative_to(base)
except ValueError as exc:
raise PermissionError("Artifact path is outside artifact storage") from exc
return resolved
This helper should be paired with metadata-sidecar validation so arbitrary non-artifact files placed under the base directory are not automatically treated as valid artifacts.
🎯 Affected products1
- pip/praisonai:>= 3.8.1, <= 4.6.58