GHSA-j7qx-p75m-wp7g

# PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage

## Summary

PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools through `ctx.get_tools()`:

```python ctx = setup_dynamic_context()

agent = Agent( instructions="You are a data analyst.", tools=ctx.get_tools(), hooks=[ctx.get_middleware()], ) ```

The official documentation describes these helpers as a way for the agent to explore large tool-output artifacts that were queued by the middleware:

- large tool outputs are saved as artifacts; - the agent receives compact artifact references; and - the agent uses `artifact_tail` and `artifact_grep` to explore that data.

The implemented artifact tools do not enforce that the supplied `artifact_path` is an artifact created by the configured store or that it lives under the configured artifact base directory. Instead, `artifact_head`, `artifact_tail`, `artifact_grep`, and `artifact_chunk` wrap the caller-supplied path directly into an `ArtifactRef` and then read it from the host filesystem.

As a result, any prompt/user/tool-caller that can influence those tool arguments can read files readable by the PraisonAI process, such as project `.env` files, cloud credentials, SSH keys, source files, or other local data.

## Affected Product

- Repository: `MervinPraison/PraisonAI` - Ecosystem: `pip` - Package: `praisonai` - Component: Dynamic Context Discovery artifact tools - Current source path: `src/praisonai/praisonai/context/queue.py` - Artifact store path: `src/praisonai/praisonai/context/artifact_store.py` - Latest PyPI version validated: `4.6.58` - Current `origin/main` validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e` - Current `origin/main` tag validated: `v4.6.58`

Suggested affected range:

```text pip:praisonai >= 3.8.1, <= 4.6.58 ```

Representative local sweep:

- `3.8.1`: vulnerable - `4.0.0`: vulnerable - `4.5.113`: vulnerable - `4.6.33`: vulnerable - `4.6.34`: vulnerable - `4.6.40`: vulnerable - `4.6.50`: vulnerable - `4.6.58`: vulnerable

## Root Cause

`create_artifact_tools()` creates an artifact store bound to `base_dir`, but the read tools do not use `base_dir` for containment.

For example, `artifact_head()` accepts `artifact_path` and immediately creates an `ArtifactRef` with that path:

```python def artifact_head(artifact_path: str, lines: int = 50) -> str: ref = ArtifactRef(path=artifact_path, summary="", size_bytes=0) try: return artifact_store.head(ref, lines=lines) except FileNotFoundError: return f"Error: Artifact not found: {artifact_path}" ```

`artifact_tail()`, `artifact_grep()`, and `artifact_chunk()` have the same pattern. They trust the caller-supplied path rather than resolving it through an artifact identifier, store lookup, manifest, or base-directory containment check.

The store methods then read that path directly:

```python def head(self, ref: ArtifactRef, lines: int = 50) -> str: file_path = Path(ref.path) if not file_path.exists(): raise FileNotFoundError(f"Artifact not found: {ref.path}")

result_lines = [] with open(file_path, "r", encoding="utf-8", errors="replace") as f: ... ```

There is no check equivalent to:

```python resolved = Path(ref.path).resolve() base = self.base_dir.resolve() resolved.relative_to(base) ```

There is also no check that the file has a valid `.meta` sidecar or appears in `artifact_list()`.

## Local PoV

Run against the latest PyPI package:

```bash uv run --with 'praisonai==4.6.58' \ python poc/pov_prai_cand_026_artifact_tools_arbitrary_file_read.py --json ```

The PoV:

1. Creates a temporary artifact base directory. 2. Creates a separate `outside-secret.txt` file outside that base directory. 3. Stores one legitimate artifact through `FileSystemArtifactStore.store()`. 4. Calls `artifact_head()` on the legitimate artifact as a positive control. 5. Calls `artifact_head()`, `artifact_grep()`, and `artifact_chunk()` on the outside file path. 6. Confirms `artifact_list()` does not list the outside file.

Observed output summary from `evidence/pov-pypi-4.6.58.json`:

```json { "package": "praisonai", "package_version": "4.6.58", "controls": { "outside_file_not_listed": true, "outside_file_outside_base_dir": true, "valid_artifact_read_works": true }, "outside_head": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET", "outside_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET\\n second line", "outside_chunk": "PRAI-CAND-026-OUTSIDE-ARTIFACT-SECRET", "outside_file_listed_by_artifact_list": false, "vulnerable": true } ```

The PoV was rerun successfully after a fresh `origin/main` fetch; see `evidence/pov-pypi-4.6.58-rerun.json`.

The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.

## Why This Is Not Intended Behavior

This report does not claim that every file-reading tool is automatically a vulnerability. The issue is narrower: tools documented and named as artifact helpers accept arbitrary host file paths.

The controls show the intended boundary:

- a valid artifact stored under `base_dir` is readable; - an outside file is not returned by `artifact_list()`; - the outside file is outside `base_dir`; and - the read helpers still disclose the outside file when handed its absolute path.

PraisonAI's own context-security documentation recommends relative paths and reviewing ignore rules to avoid sensitive-file exposure. Those controls are bypassed when artifact tools can be pointed directly at any readable host path.

## Impact

If a PraisonAI application exposes an agent with `ctx.get_tools()` to untrusted or lower-trust prompts, the lower-trust caller can request artifact tools against arbitrary local paths. This can disclose sensitive host files readable by the PraisonAI process, including:

- project `.env` files; - cloud or service credentials; - SSH keys; - local application configuration; - source files and private data; and - terminal/history artifacts from other runs if the path is known or guessed.

The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.

## Duplicate Posture

I checked visible PraisonAI advisories and local prior PraisonAI submissions. This is distinct from nearby file-read/file-write issues:

- `GHSA-9cr9-25q5-8prj` / `CVE-2026-47394` covers MCP CLI `workflow.show`, `workflow.validate`, and `deploy.validate` path handling. This report covers Dynamic Context Discovery artifact tools in `context/queue.py`. - `GHSA-hvhp-v2gc-268q` / `CVE-2026-47397` covers `write_file` arbitrary file write when `workspace=None`. This report is a read-only disclosure issue in artifact helper tools. - Public recipe registry path traversal advisories cover recipe publish/pull storage and extraction. This report does not involve the recipe registry. - Local prior submissions in this harness do not cover `artifact_head`, `artifact_tail`, `artifact_grep`, `artifact_chunk`, or `FileSystemArtifactStore` path containment.

## Severity

Suggested severity: High.

Suggested CVSS v3.1:

Rationale:

- `AV`: applies when an application exposes a PraisonAI agent over a network chat/API surface, which is a documented PraisonAI deployment pattern. - `AC`: no race, special environment, or complex path manipulation is required; an absolute readable path is sufficient. - `PR`: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this as `PR:L`. - `UI`: the attacker directly supplies the prompt/tool argument to the exposed agent surface. - `C`: arbitrary readable host files can contain secrets or private data. - `I/A`: this report demonstrates read-only disclosure.

## Remediation

Do not let artifact tools open arbitrary paths. Prefer stable artifact IDs over raw filesystem paths in tool arguments.

Recommended fixes:

1. Change tool schemas to accept `artifact_id` plus optional `run_id` and `agent_id`, then resolve those through the artifact store's metadata/index. 2. If path arguments must remain for compatibility, resolve the path with `Path(path).resolve()` and reject it unless it is under `artifact_store.base_dir.resolve()`. 3. Require a valid artifact metadata sidecar for read helpers. Files not created by `FileSystemArtifactStore.store()` should not be readable through artifact tools. 4. Apply the same containment check to `load()`, `head()`, `tail()`, `grep()`, `chunk()`, and `delete()`. 5. Avoid returning absolute host paths in prompt-visible artifact references when an opaque artifact ID would suffice.

Minimal containment helper:

```python def _resolve_artifact_path(self, path: str) -> Path: resolved = Path(path).expanduser().resolve() base = self.base_dir.resolve() try: resolved.relative_to(base) except ValueError as exc: raise PermissionError("Artifact path is outside artifact storage") from exc return resolved ```

This helper should be paired with metadata-sidecar validation so arbitrary non-artifact files placed under the base directory are not automatically treated as valid artifacts.