VYPR

Vendor CVEs

Praison

All CVEs

84 total · sorted by risk
  • CVE-2026-40114HigApr 9, 2026
    risk 0.40cvss 7.2epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using…

  • CVE-2026-39306HigApr 7, 2026
    risk 0.40cvss 7.3epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe…

  • CVE-2026-39308HigApr 7, 2026
    risk 0.39cvss 7.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP…

  • CVE-2026-47419higJun 5, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The agent CRUD endpoints (`GET / PATCH / DELETE /workspaces/{workspace_id}/agents/{agent_id}`) gate access on `require_workspace_member(workspace_id)` only, then resolve `agent_id` through `AgentService.get(agent_id)` which…

  • CVE-2026-47412higJun 1, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Authorization bypass enabling destructive action. The `DELETE /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member of the workspace can issue a single DELETE to wipe the…

  • CVE-2026-47415higJun 1, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The issue CRUD endpoints (`GET / PATCH / DELETE /workspaces/{workspace_id}/issues/{issue_id}`) gate access on `require_workspace_member(workspace_id)` only, then resolve `issue_id` through `IssueService.get(issue_id)` which…

  • CVE-2026-47417higJun 1, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The comment endpoints (`POST /workspaces/{workspace_id}/issues/{issue_id}/comments` and `GET .../comments`) gate access on `require_workspace_member(workspace_id)` only, then call `CommentService.create(issue_id=issue_id,…

  • CVE-2026-47418higJun 1, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The project CRUD endpoints (`GET / PATCH / DELETE /workspaces/{workspace_id}/projects/{project_id}` and `GET .../{project_id}/stats`) gate access on `require_workspace_member(workspace_id)` only, then resolve `project_id`…

  • CVE-2026-47409higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Authorization bypass enabling owner lockout. The `DELETE /workspaces/{workspace_id}/members/{user_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member can remove any other member, including the…

  • CVE-2026-47414higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. Five label endpoints — `PATCH /workspaces/{workspace_id}/labels/{label_id}`, `DELETE .../labels/{label_id}`, `POST .../issues/{issue_id}/labels/{label_id}`, `DELETE .../issues/{issue_id}/labels/{label_id}`, `GET…

  • CVE-2026-47406higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The dependency endpoints (`POST/GET /workspaces/{workspace_id}/issues/{issue_id}/dependencies` and `DELETE .../dependencies/{dep_id}`) gate access on `require_workspace_member(workspace_id)` only, then dispatch to…

  • CVE-2026-47405higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to `owner`. The issue is caused by privileged workspace-management routes using the shared dependency…

  • CVE-2026-47399higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary PraisonAI Platform's workspace-scoped REST routes contain a systemic object-level authorization flaw that allows an authenticated user from one workspace to access, modify, and delete objects belonging to another workspace by supplying the victim object's global…

  • CVE-2026-48169higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and…

  • CVE-2026-47397higMay 29, 2026
    risk 0.38cvss epss 0.00

    # Bug Report: Arbitrary File Write in Python API ## Summary Hidden metadata in a webpage causes PraisonAI agents to write attacker-controlled content to arbitrary paths. `write_file` skips path validation when `workspace=None` (always `None` in production). ## Affected …

  • CVE-2026-47394higMay 29, 2026
    risk 0.38cvss epss 0.00

    ## Summary The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`: > "registers four file-handling tools by default, `praisonai.rules.create`,…

  • CVE-2026-47398higMay 29, 2026
    risk 0.38cvss epss 0.00

    Arbitrary code execution via ungated spec.loader.exec_module in agents_generator.py (v4.6.32 chokepoint refactor bypass) Summary The v4.6.32 chokepoint refactor (which patched CVE-2026-44334 /…

  • CVE-2026-40148MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before…

  • CVE-2026-34939MedApr 3, 2026
    risk 0.35cvss 6.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re…

  • CVE-2026-44337MedMay 8, 2026
    risk 0.34cvss 6.3epss 0.00

    PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted…

  • CVE-2026-40152MedApr 9, 2026
    risk 0.34cvss 5.3epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's…

  • CVE-2026-40115MedApr 9, 2026
    risk 0.33cvss 6.2epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by…

  • CVE-2026-40159MedApr 10, 2026
    risk 0.29cvss 5.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through…

  • CVE-2026-40112MedApr 9, 2026
    risk 0.28cvss 5.4epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency…

  • CVE-2026-40151MedApr 9, 2026
    risk 0.27cvss 5.3epss 0.01

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application…

  • CVE-2026-56078Jun 18, 2026
    risk 0.00cvss epss 0.01

    PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. Attackers can include traversal sequences like ../ in agent IDs to read, write, or overwrite arbitrary files, enabling sensitive…

  • CVE-2026-56077Jun 18, 2026
    risk 0.00cvss epss 0.00

    PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger…

  • CVE-2026-56076Jun 18, 2026
    risk 0.00cvss epss 0.01

    PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with…

  • CVE-2026-56075Jun 18, 2026
    risk 0.00cvss epss 0.00

    PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to…

  • CVE-2026-56074Jun 18, 2026
    risk 0.00cvss epss 0.00

    PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate…

  • CVE-2026-47411Jun 1, 2026
    risk 0.00cvss epss 0.00

    ## Summary **Type:** Authorization bypass enabling workspace metadata + settings tampering. The `PATCH /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`). Any member can rewrite the workspace's `name`,…

  • CVE-2026-47408May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary **Type:** Insecure Direct Object Reference. The `GET /workspaces/{workspace_id}/issues/{issue_id}/activity` endpoint is gated by `require_workspace_member(workspace_id)` and dispatches to `ActivityService.list_for_issue(issue_id)`, which executes `SELECT * FROM…

  • CVE-2026-47395May 29, 2026
    risk 0.00cvss epss 0.00

    ### Summary PraisonAI's direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins. If a prompt contains `@url:`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a direct…

  • CVE-2026-47390May 29, 2026
    risk 0.00cvss epss 0.00

    ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings. The affected component is: ```text praisonaiagents/tools/spider_tools.py ```` The tool contains a URL validation function intended to block local or unsafe targets…

Page 2 of 2