VYPR

Vendor CVEs

Praison

All CVEs

84 total · sorted by risk
  • CVE-2026-34938CriApr 3, 2026
    risk 0.65cvss 10.0epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr…

  • CVE-2026-44335CriMay 8, 2026
    risk 0.64cvss 9.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.

  • CVE-2026-39888CriApr 8, 2026
    risk 0.64cvss 9.9epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist…

  • CVE-2026-41497CriMay 8, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution…

  • CVE-2026-40315CriApr 14, 2026
    risk 0.57cvss 9.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization.…

  • CVE-2026-40288CriApr 14, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with…

  • CVE-2026-40111HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed…

  • CVE-2026-39890CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file…

  • CVE-2026-34935CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop,…

  • CVE-2026-34934CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application…

  • CVE-2026-34954HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who…

  • CVE-2026-44336CriMay 8, 2026
    risk 0.55cvss 9.6epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and…

  • CVE-2026-40088CriApr 9, 2026
    risk 0.55cvss 9.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands…

  • CVE-2026-40154CriApr 9, 2026
    risk 0.53cvss 9.3epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This…

  • CVE-2026-47413criJun 1, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`) and forwards the request body's `user_id` and `role`…

  • CVE-2026-47416criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role="member"` and is never overridden by the route. The handler then calls…

  • CVE-2026-47410criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`…

  • CVE-2026-47407criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The…

  • CVE-2026-47391criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary The first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain: 1. The example exposes an A2A server without configuring `auth_token`. 2. The same example binds the server to `0.0.0.0`. 3. The example registers a…

  • CVE-2026-47392criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary `execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string…

  • CVE-2026-47393criMay 29, 2026
    risk 0.52cvss epss 0.00

    ### Summary CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai…

  • CVE-2026-47396criMay 29, 2026
    risk 0.52cvss epss 0.00

    ### Summary PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured. The affected component is the `praisonai.api.agent_invoke` router as mounted by `praisonai.api.call`. The authentication helper…

  • CVE-2026-40313CriApr 14, 2026
    risk 0.52cvss 9.1epss 0.00

    PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout…

  • CVE-2026-40289CriApr 14, 2026
    risk 0.52cvss 9.1epss 0.00

    PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on…

  • CVE-2026-39305CriApr 7, 2026
    risk 0.52cvss 9.0epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path…

  • CVE-2026-34953CriApr 3, 2026
    risk 0.52cvss 9.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated,…

  • CVE-2026-34952CriApr 3, 2026
    risk 0.52cvss 9.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages…

  • CVE-2026-34937HigApr 3, 2026
    risk 0.51cvss 7.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and…

  • CVE-2026-40157HigApr 10, 2026
    risk 0.50cvss 8.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output…

  • CVE-2026-40150HigApr 9, 2026
    risk 0.50cvss 7.7epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are…

  • CVE-2026-39891HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping,…

  • CVE-2026-34955HigApr 4, 2026
    risk 0.50cvss 8.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh…

  • CVE-2026-44339HigMay 8, 2026
    risk 0.49cvss 8.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default…

  • CVE-2026-40158HigApr 10, 2026
    risk 0.49cvss 8.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in…

  • CVE-2026-35615HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and…

  • CVE-2026-44334HigMay 8, 2026
    risk 0.48cvss 8.4epss 0.00

    PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in…

  • CVE-2026-40287HigApr 14, 2026
    risk 0.48cvss 8.4epss 0.00

    PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py…

  • CVE-2026-40153HigApr 9, 2026
    risk 0.48cvss 7.4epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line…

  • CVE-2026-40113HigApr 9, 2026
    risk 0.48cvss 8.4epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not…

  • CVE-2026-41496HigMay 8, 2026
    risk 0.46cvss 8.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso,…

  • CVE-2026-39307HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses…

  • CVE-2026-40156HigApr 10, 2026
    risk 0.44cvss 7.8epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately…

  • CVE-2026-40149HigApr 9, 2026
    risk 0.44cvss 7.9epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec,…

  • CVE-2026-34936HigApr 3, 2026
    risk 0.43cvss 7.7epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises…

  • CVE-2026-44340HigMay 8, 2026
    risk 0.42cvss 7.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does…

  • CVE-2026-40160MedApr 10, 2026
    risk 0.42cvss 6.5epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud…

  • CVE-2026-40116HigApr 9, 2026
    risk 0.42cvss 7.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's…

  • CVE-2026-39889HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info,…

  • CVE-2026-44338HigMay 8, 2026
    risk 0.40cvss 7.3epss 0.27

    PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured…

  • CVE-2026-40117MedApr 9, 2026
    risk 0.40cvss 6.2epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement,…

Page 1 of 2