19 Critical and High-Severity CVEs Disclosed in PraisonAI Multi-Agent Framework
A coordinated disclosure of 19 CVEs on May 29, 2026, reveals systemic authorization failures, hardcoded secrets, and unauthenticated RCE in the open-source PraisonAI multi-agent orchestration platform.
On May 29, 2026, security researchers disclosed a batch of 19 CVEs affecting PraisonAI, an open-source multi-agent orchestration framework. The vulnerabilities, published within a 35-minute window, span privilege escalation, insecure direct object references (IDOR), hardcoded JWT secrets, sandbox escapes, and unauthenticated remote code execution. Together they expose deep architectural flaws in both the PraisonAI Platform API server and the core Python agent library (praisonai pip package).
The largest cluster of CVEs targets PraisonAI Platform's workspace isolation model. The root cause is a shared FastAPI dependency — require_workspace_member(workspace_id) — that defaults to min_role="member" and is never tightened for privileged routes. CVE-2026-47416 (Critical) and CVE-2026-47405 (High) describe the same core flaw: the PATCH /workspaces/{id}/members/{user_id} endpoint lets any member promote themselves or others to owner. CVE-2026-47409 (High) goes further — the DELETE /workspaces/{workspace_id}/members/{user_id} endpoint allows any member to remove the workspace owner, enabling full workspace takeover and owner lockout.
Several CVEs target specific resource types with the same missing ownership check. CVE-2026-47414 (High) covers five label endpoints — PATCH/DELETE /workspaces/{id}/labels/{label_id}, POST/DELETE /workspaces/{id}/issues/{issue_id}/labels/{label_id}, and GET /workspaces/{id}/issues/{issue_id}/labels — all gated only on workspace membership, not label ownership. CVE-2026-47406 (High) targets dependency endpoints, allowing cross-workspace issue linking and deletion. CVE-2026-47408 (High) exposes the activity log endpoint, which returns activity for any issue ID regardless of workspace.
Critical authentication and key management failures compound the authorization gaps. CVE-2026-47410 (Critical) reveals that the JWT signing key defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset. A safety check exists but only fires when PLATFORM_ENV != "dev" — and the default value of PLATFORM_ENV is "dev", so the check is silently bypassed. This allows token forgery for any user. CVE-2026-47393 (Critical) documents that praisonai deploy --type api emits a Flask server with authentication disabled by default, binding to 0.0.0.0. CVE-2026-47396 (Critical) describes the call server's agent control API, which fails open when CALL_SERVER_TOKEN is unset, exposing unauthenticated agent listing, invocation, and deletion.
Unauthenticated remote code execution and sandbox escapes round out the disclosure. CVE-2026-47391 (Critical) chains three behaviors in PraisonAI's first-party A2A server example: no auth_token configured, binding to 0.0.0.0, and a calculate(expression) tool implemented via eval(). This gives unauthenticated remote attackers LLM-driven eval() execution. CVE-2026-47392 (Critical) describes a sandbox escape in execute_code() (subprocess mode) using print.__self__ to leak the real Python builtins module, from which __import__ can be extracted for arbitrary OS command execution.
File operations and SSRF vulnerabilities further widen the attack surface. CVE-2026-47397 (High) allows arbitrary file write: hidden webpage metadata causes PraisonAI agents to call write_file with workspace=None (always None in production), skipping path validation entirely. CVE-2026-47394 (High) reports an incomplete fix for CVE-2026-44336: the original advisory named four vulnerable MCP handlers, but the patch missed workflow.show, workflow.validate, and deploy.validate, leaving unauthenticated arbitrary file read open. CVE-2026-47395 (High) describes the CLI's @url: mention parser, which performs direct urllib.request.urlopen() requests to attacker-supplied URLs, including loopback addresses, leaking internal services into model context.
As of the disclosure date, patches were expected across the affected components. Users of PraisonAI Platform should ensure PLATFORM_JWT_SECRET is set to a strong, unique value and that PLATFORM_ENV is configured for production. For the agent library (praisonai pip package), versions <= 4.6.37 are affected by the file write and sandbox escape issues. The A2A example server should never be deployed without authentication. Organizations running praisonai deploy --type api must verify authentication is enabled. This disclosure underscores the risks of rapid development in the AI agent space, where security defaults often lag behind feature velocity.