PraisonAI: Five CVEs Disclosed Together — Path Traversal, CORS Misconfig, and Approval Bypasses

Key findings

• Five CVEs disclosed together in PraisonAI, affecting versions before 1.5.128
• Path traversal in MultiAgentMonitor allows arbitrary file read/write (CVE-2026-56078)
• Duplicate agent IDs in MultiAgentLedger leak sensitive data (CVE-2026-56077)
• Hardcoded wildcard CORS and missing auth on AGUI endpoint enable cross-origin agent execution (CVE-2026-56076)
• Approval mode override and coarse-grained caching bypass shell command restrictions (CVE-2026-56075, CVE-2026-56074)
• All flaws fixed in PraisonAI 1.5.128

On June 18, 2026, five distinct security vulnerabilities were disclosed in PraisonAI, an open-source framework for building multi-agent AI systems. The batch, spanning versions prior to 1.5.128, includes flaws ranging from path traversal and information disclosure to arbitrary shell command execution and CORS misconfiguration. Together, the vulnerabilities expose PraisonAI deployments to risks of data exfiltration, denial of service, and remote code execution, making immediate patching critical for organizations using the framework.

Path Traversal in MultiAgentMonitor CVE-2026-56078 is a path traversal vulnerability in the MultiAgentMonitor component. The software fails to sanitize agent IDs when constructing file paths, allowing an attacker to include traversal sequences such as ../ in an agent ID. This enables reading, writing, or overwriting arbitrary files on the server, which could lead to sensitive data disclosure, denial of service, or full code execution.

Information Disclosure via Shared MultiAgentLedger State CVE-2026-56077 affects the MultiAgentLedger component, which does not enforce uniqueness of agent IDs. By registering agents with duplicate IDs, an attacker can share ledger instances and gain access to sensitive data, including system prompts and other confidential information intended for other agents.

Cross-Origin Agent Execution via Hardcoded Wildcard CORS CVE-2026-56076 describes a cross-origin agent execution vulnerability in the AGUI endpoint. The POST /agui endpoint lacks authentication and hardcodes the Access-Control-Allow-Origin: * header. Combined with Starlette's Content-Type-agnostic JSON parsing, remote attackers can trigger arbitrary agent execution from any origin.

Arbitrary Shell Command Execution via Approval Mode Override CVE-2026-56075 allows authenticated attackers to execute arbitrary shell commands. The UI modules hardcode approval_mode to auto, overriding the administrator-configured PRAISON_APPROVAL_MODE environment variable. This bypasses the intended approval workflow, enabling an attacker to instruct the LLM agent to run arbitrary shell commands via the execute_command tool.

Tool Approval Cache Bypass via Coarse-Grained Caching CVE-2026-56074 exploits a coarse-grained caching mechanism in tool approval decisions. The cache keys tool approvals by tool name only, ignoring invocation arguments. An attacker can first obtain approval for a benign command (e.g., ls), then subsequently execute malicious shell commands (e.g., to exfiltrate API keys and credentials) without triggering a new approval prompt.

Patch Status and Mitigations PraisonAI addressed these vulnerabilities in releases 1.5.115 and 1.5.128. Users should upgrade to version 1.5.128 or later to remediate all five CVEs. Administrators should also review their deployment's network exposure, particularly the AGUI endpoint, and ensure that environment-level approval configurations are enforced.

Why This Batch Matters This disclosure highlights the security challenges inherent in AI agent frameworks, where trust boundaries between agents, users, and external tools must be carefully enforced. The combination of path traversal, information disclosure, CORS misconfiguration, and approval bypasses in a single product underscores the need for rigorous input validation, authentication, and access control in multi-agent systems. Organizations running PraisonAI should prioritize updating to the latest version and audit their agent configurations for potential exposure.