Skip to content
snailsploit[$]
CVE Disclosure · PraisonAI

CVE-2026-55530

PraisonAI · praisonaiagents

ast_grep_rewrite rewrites arbitrary files without the @require_approval gate its sibling tools carry

SeverityModerate
ClassCWE-862
VectorMissing approval gate
AdvisoryGHSA-cfxv-8fw8-rwpv

Summary

CVE-2026-55530 is a missing-authorization flaw (CWE-862) in PraisonAI (praisonaiagents ≤ 1.6.52). Every file-modification tool exposed to the agent is gated behind a @require_approval decorator that pauses for human confirmation — except ast_grep_rewrite in ast_grep_tool.py, which ships without it.

Technical Detail

PraisonAI mediates dangerous tool calls with a human-in-the-loop approval gate. The decorator is applied consistently across the file-writing tools so that an autonomous (or prompt-injected) agent cannot silently modify the host filesystem. ast_grep_rewrite performs structural search-and-replace rewrites of files, but the decorator was never attached:

This is an authorization gap at the tool boundary: the control that makes the rest of the file tools safe is simply absent on one of them.

Impact

Arbitrary file overwrite under the privileges of the agent process. When the target is a file that is later imported or executed — a Python module, a config consumed at startup, a shell profile — the write escalates to code execution. Because the gate is what users rely on to catch dangerous writes, the bypass removes the one checkpoint in the loop.

Resolution

Upgrade to the fixed PraisonAI release named in the advisory. The fix attaches @require_approval to ast_grep_rewrite so it matches its sibling tools. Hardening guidance:

References

Vendor Advisory (GHSA)MITRENVD

Disclosure

Reported by SnailSploit. Coordinated with the PraisonAI maintainers via GitHub Security Advisory GHSA-cfxv-8fw8-rwpv. See the advisory for affected and fixed version details.

disclosure contextall cves →
all disclosures
CVE Ledger →
Published CVEs
advisories
GHSA disclosures →
Coordinated advisories
engage
Pen Testing →
same methodology, your stack
Author
Kai Aizen
Independent Adversarial · Research group. Published CVEs, Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.
aboutservicesresearchgate
Quick facts
ID
CVE-2026-55530
Product
PraisonAI (praisonaiagents)
Severity
Moderate
Class
CWE-862
Vector: LLM agent calls ast_grep_rewrite → arbitrary file overwrite (no approval) · Affected/Fixed: see GHSA
References: GHSA-cfxv-8fw8-rwpv · MITRE · NVD
Frequently asked

CVE-2026-55530 — questions & answers

What is CVE-2026-55530?

CVE-2026-55530 is a missing-authorization flaw (CWE-862) in PraisonAI (praisonaiagents ≤ 1.6.52). The ast_grep_rewrite tool lacks the @require_approval gate that every other file-modification tool carries, so an LLM agent can rewrite arbitrary files without user approval. Tracked as GHSA-cfxv-8fw8-rwpv.

Am I affected by CVE-2026-55530?

You are affected if you run praisonaiagents ≤ 1.6.52 and expose the ast_grep_rewrite tool to an agent that processes untrusted input. See GHSA-cfxv-8fw8-rwpv for the exact fixed version.

How do I fix CVE-2026-55530?

Upgrade to the fixed release named in GHSA-cfxv-8fw8-rwpv, which adds the @require_approval gate to ast_grep_rewrite. As defense in depth, run the agent with a least-privilege, scoped filesystem.

What is the impact of CVE-2026-55530?

Arbitrary file overwrite under the agent process, which escalates to code execution when the overwritten file is later imported or executed. The missing gate removes the human checkpoint that normally catches dangerous writes.

Where can I find authoritative references?

The GitHub Security Advisory GHSA-cfxv-8fw8-rwpv, the MITRE CVE record for CVE-2026-55530, and the NVD detail page once published.