PyPI package

praisonai

pkg:pypi/praisonai

Vulnerabilities (41)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-40116	Hig	7.5	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtim
CVE-2026-40115	Med	6.2	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by defau
CVE-2026-40114	Hig	7.2	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.Asy
CVE-2026-40113	Hig	8.4	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contai
CVE-2026-40112	Med	5.4	< 4.5.128	4.5.128	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency i
CVE-2026-40088	Cri	9.6	< 4.5.121	4.5.121	Apr 9, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands thr
CVE-2026-39891	Hig	8.8	< 4.5.115	4.5.115	Apr 8, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, t
CVE-2026-39890	Cri	9.8	< 4.5.115	4.5.115	Apr 8, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file th
CVE-2026-39889	Hig	7.5	< 4.5.115	4.5.115	Apr 8, 2026	PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u
CVE-2026-39308	Hig	7.1	< 4.5.113	4.5.113	Apr 7, 2026	PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route.
CVE-2026-39307	Hig	8.1	< 4.5.113	4.5.113	Apr 7, 2026	PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's
CVE-2026-39306	Hig	7.3	< 4.5.113	4.5.113	Apr 7, 2026	PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle
CVE-2026-39305	Cri	9.0	< 4.5.113	4.5.113	Apr 7, 2026	PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path
CVE-2026-35615	Hig	7.5	< 1.5.113	1.5.113	Apr 7, 2026	PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows
CVE-2026-34955	Hig	8.8	< 4.5.97	4.5.97	Apr 4, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or
CVE-2026-34953	Cri	9.1	< 4.5.97	4.5.97	Apr 3, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, gr
CVE-2026-34952	Cri	9.1	< 4.5.97	4.5.97	Apr 3, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages
CVE-2026-34939	Med	6.5	< 4.5.90	4.5.90	Apr 3, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine,
CVE-2026-34936	Hig	7.7	< 4.5.90	4.5.90	Apr 3, 2026	PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises Attr
CVE-2026-34935	Cri	9.8	>= 4.5.15, < 4.5.69	4.5.69	Apr 3, 2026	PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing

CVE-2026-40116HigApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtim
CVE-2026-40115MedApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by defau
CVE-2026-40114HigApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.Asy
CVE-2026-40113HigApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contai
CVE-2026-40112MedApr 9, 2026
affected < 4.5.128fixed 4.5.128
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency i
CVE-2026-40088CriApr 9, 2026
affected < 4.5.121fixed 4.5.121
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands thr
CVE-2026-39891HigApr 8, 2026
affected < 4.5.115fixed 4.5.115
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, t
CVE-2026-39890CriApr 8, 2026
affected < 4.5.115fixed 4.5.115
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file th
CVE-2026-39889HigApr 8, 2026
affected < 4.5.115fixed 4.5.115
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u
CVE-2026-39308HigApr 7, 2026
affected < 4.5.113fixed 4.5.113
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route.
CVE-2026-39307HigApr 7, 2026
affected < 4.5.113fixed 4.5.113
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's
CVE-2026-39306HigApr 7, 2026
affected < 4.5.113fixed 4.5.113
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle
CVE-2026-39305CriApr 7, 2026
affected < 4.5.113fixed 4.5.113
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path
CVE-2026-35615HigApr 7, 2026
affected < 1.5.113fixed 1.5.113
PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows
CVE-2026-34955HigApr 4, 2026
affected < 4.5.97fixed 4.5.97
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or
CVE-2026-34953CriApr 3, 2026
affected < 4.5.97fixed 4.5.97
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, gr
CVE-2026-34952CriApr 3, 2026
affected < 4.5.97fixed 4.5.97
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages
CVE-2026-34939MedApr 3, 2026
affected < 4.5.90fixed 4.5.90
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine,
CVE-2026-34936HigApr 3, 2026
affected < 4.5.90fixed 4.5.90
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises Attr
CVE-2026-34935CriApr 3, 2026
affected >= 4.5.15, < 4.5.69fixed 4.5.69
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing

Page 2 of 3