Skip to content
Threat Feed
critical advisory

CVE-2026-61447 PraisonAI Remote Code Execution Vulnerability via Prompt Injection

Attackers can exploit CVE-2026-61447, a critical remote code execution vulnerability in PraisonAI versions before 1.6.78, by using prompt injection to manipulate LLM-generated Python code, leading to arbitrary code execution and exfiltration of environment secrets on the host system.

A critical remote code execution vulnerability, identified as CVE-2026-61447, exists in PraisonAI versions prior to 1.6.78. This flaw resides within the CodeAgent._execute_python() function, which is responsible for executing Python code generated by the LLM. The vulnerability stems from a lack of Abstract Syntax Tree (AST) validation, import restrictions, and sandbox enforcement during code execution. Threat actors can exploit this by crafting malicious prompts, leveraging prompt injection techniques to influence the LLM's output and embed arbitrary Python commands into the generated code. When CodeAgent._execute_python() executes this tainted code, it grants the attacker full control over the host system, enabling sensitive actions such as environment secret exfiltration and arbitrary code execution. This poses a significant risk to organizations using affected PraisonAI deployments, as it allows unauthorized access and data compromise.

Attack Chain

  1. Attacker crafts a specially designed malicious prompt incorporating injection techniques.
  2. The malicious prompt is submitted to the PraisonAI CodeAgent.
  3. PraisonAI's underlying Large Language Model (LLM) processes the injected prompt.
  4. The LLM generates Python code that includes attacker-controlled commands, influenced by the prompt injection.
  5. The CodeAgent._execute_python() function is invoked to execute the LLM-generated Python code.
  6. Due to the absence of AST validation, import restrictions, and sandbox enforcement, the arbitrary Python code is executed directly on the host system.
  7. The attacker achieves remote code execution, enabling actions such as exfiltrating environment secrets or deploying additional malicious payloads.

Impact

Successful exploitation of CVE-2026-61447 leads to complete compromise of the host system running PraisonAI. Attackers gain the ability to execute arbitrary code with the privileges of the PraisonAI process, allowing them to exfiltrate all environment secrets, access sensitive data, install malware, or establish persistent backdoors. The broad scope of arbitrary code execution means that the impact can range from data theft to full system control, potentially affecting an organization's intellectual property, customer data, and operational integrity.

Recommendation

  • Patch CVE-2026-61447 immediately by updating PraisonAI to version 1.6.78 or higher to address the underlying vulnerability.
  • Implement robust input validation and sanitization specifically for LLM prompts to mitigate prompt injection risks for applications using the CodeAgent._execute_python() function.
  • Ensure that any environment executing LLM-generated code, especially via components like CodeAgent._execute_python(), operates within a tightly controlled sandbox with minimal privileges and strict network egress rules.