PyPI package

praisonai

pkg:pypi/praisonai

Vulnerabilities (41)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44340	Hig	7.5	< 4.6.37	4.6.37	May 8, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not
CVE-2026-44339	Hig	8.6	< 4.6.37	4.6.37	May 8, 2026	PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agen
CVE-2026-44338	Hig	7.3	>= 2.5.6, < 4.6.34	4.6.34	May 8, 2026	PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yam
CVE-2026-44337	Med	6.3	>= 2.4.1, < 4.6.34	4.6.34	May 8, 2026	PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted
CVE-2026-44336	Cri	9.6	< 4.6.34	4.6.34	May 8, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.sho
CVE-2026-44334	Hig	8.4	>= 4.5.139, < 4.6.32	4.6.32	May 8, 2026	PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.p
CVE-2026-41497	Cri	9.8	< 4.5.149	4.5.149	May 8, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution fl
CVE-2026-41496	Hig	8.1	< 4.5.149	4.5.149	May 8, 2026	PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleS
CVE-2026-40315	Cri	9.8	< 4.5.133	4.5.133	Apr 14, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Sinc
CVE-2026-40289	Cri	9.1	< 4.5.139	4.5.139	Apr 14, 2026	PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on it
CVE-2026-40288	Cri	9.8	< 4.5.139	4.5.139	Apr 14, 2026	PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with t
CVE-2026-40287	Hig	8.4	< 4.5.139	4.5.139	Apr 14, 2026	PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_
CVE-2026-40159	Med	5.5	< 4.5.128	4.5.128	Apr 10, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s s
CVE-2026-40158	Hig	8.6	< 4.5.128	4.5.128	Apr 10, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/
CVE-2026-40157	Hig	8.8	>= 2.7.2, < 4.5.128	4.5.128	Apr 10, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directo
CVE-2026-40156	Hig	7.8	< 4.5.128	4.5.128	Apr 10, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes
CVE-2026-40154	Cri	9.3	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerab
CVE-2026-40151	Med	5.3	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application
CVE-2026-40149	Hig	7.9	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_wr
CVE-2026-40148	Med	6.5	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before

CVE-2026-44340HigMay 8, 2026
affected < 4.6.37fixed 4.6.37
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not
CVE-2026-44339HigMay 8, 2026
affected < 4.6.37fixed 4.6.37
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agen
CVE-2026-44338HigMay 8, 2026
affected >= 2.5.6, < 4.6.34fixed 4.6.34
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yam
CVE-2026-44337MedMay 8, 2026
affected >= 2.4.1, < 4.6.34fixed 4.6.34
PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted
CVE-2026-44336CriMay 8, 2026
affected < 4.6.34fixed 4.6.34
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.sho
CVE-2026-44334HigMay 8, 2026
affected >= 4.5.139, < 4.6.32fixed 4.6.32
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.p
CVE-2026-41497CriMay 8, 2026
affected < 4.5.149fixed 4.5.149
PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution fl
CVE-2026-41496HigMay 8, 2026
affected < 4.5.149fixed 4.5.149
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleS
CVE-2026-40315CriApr 14, 2026
affected < 4.5.133fixed 4.5.133
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Sinc
CVE-2026-40289CriApr 14, 2026
affected < 4.5.139fixed 4.5.139
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on it
CVE-2026-40288CriApr 14, 2026
affected < 4.5.139fixed 4.5.139
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with t
CVE-2026-40287HigApr 14, 2026
affected < 4.5.139fixed 4.5.139
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_
CVE-2026-40159MedApr 10, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s s
CVE-2026-40158HigApr 10, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/
CVE-2026-40157HigApr 10, 2026
affected >= 2.7.2, < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directo
CVE-2026-40156HigApr 10, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes
CVE-2026-40154CriApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerab
CVE-2026-40151MedApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application
CVE-2026-40149HigApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_wr
CVE-2026-40148MedApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before

Page 1 of 3