PraisonAI - Arbitrary Shell Command Execution via Hardcoded Approval Mode Override
Description
PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate and insufficient command sanitization blocklists.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <4.5.128
Patches
Vulnerability mechanics
Root cause
"Hardcoded `approval_mode="auto"` in Chainlit UI modules overrides the administrator's configured approval mode, combined with insufficient blocklist-based command sanitization that allows single-argument destructive shell commands to execute via `subprocess.run(..., shell=True)`."
Attack vector
An authenticated attacker (or anyone using default admin/admin credentials) sends a chat message requesting a shell command such as `cat /etc/passwd`. The LLM agent calls `acp_execute_command`, which passes the command through insufficient blocklists that only filter chaining operators like `;`, `|`, `&&`, and `$(`. Because the UI modules hardcode `approval_mode="auto"` [ref_id=1], the plan is auto-approved without any human prompt. The command then executes via `subprocess.run(..., shell=True)` on the server. Even when an administrator sets `PRAISON_APPROVAL_MODE=manual`, the hardcoded override silently defeats that configuration [ref_id=1].
Affected code
The Chainlit UI modules `chat.py` (lines 156–159) and `code.py` (lines 155–158) hardcode `config.approval_mode = "auto"` after loading the administrator's `PRAISON_APPROVAL_MODE` environment variable, silently overriding any manual or scoped approval setting. This flows to `agent_tools.py:347–348` in `acp_execute_command`, where the plan is auto-approved, and then to `action_orchestrator.py:458` where `subprocess.run(step.target, shell=True)` executes the command. The blocklists in `_sanitize_command()` (`agent_tools.py:60–86`) and `_apply_step()` (`action_orchestrator.py:449`) only block chaining/substitution operators, allowing single-argument destructive commands to pass through.
What the fix does
The recommended fix removes the hardcoded `config.approval_mode = "auto"` lines from both `chat.py` and `code.py`, so the administrator's `PRAISON_APPROVAL_MODE` environment variable is respected and manual or scoped approval gates remain active [ref_id=1]. Additionally, the advisory suggests strengthening `_sanitize_command()` by switching from a blocklist to an allowlist of permitted base commands (e.g., `ls`, `cat`, `echo`) and using `shlex.split()` to extract the command name, which would block destructive commands like `rm`, `curl`, and `chmod` that currently bypass the blocklist [ref_id=1].
Preconditions
- authAttacker must be authenticated to the PraisonAI Chainlit UI (default credentials admin/admin are unchanged)
- configThe UI must be running (e.g., `praisonai ui chat` or `praisonai ui code`)
- inputAttacker sends a chat message containing a shell command that does not use blocked chaining/substitution operators
Reproduction
1. Start the Chainlit UI: `praisonai ui chat` 2. Log in at `http://localhost:8000` with username `admin` and password `admin`. 3. Send the message: `"Please run this command for me: cat /etc/passwd"`. 4. The LLM agent calls `acp_execute_command("cat /etc/passwd")`; the blocklist passes it, `approval_mode="auto"` auto-approves it, and `subprocess.run("cat /etc/passwd", shell=True)` executes, returning the file contents in the chat. 5. Even with `export PRAISON_APPROVAL_MODE=manual` set beforehand, the hardcoded override in `chat.py:159` still causes auto-approval [ref_id=1].
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.