PraisonAI AICoder Component Vulnerabilities Allow Arbitrary File Write and Command Execution (CVE-2026-61445)
PraisonAI versions prior to 4.6.78 are vulnerable to arbitrary file write and command execution (CVE-2026-61445) in its AICoder component due to missing path validation and command sanitization, allowing attackers to inject malicious prompts via the chat interface to achieve root-level shell command execution.
CVE-2026-61445 identifies critical arbitrary file write and command execution vulnerabilities within the AICoder component of PraisonAI, affecting all versions prior to 4.6.78. The flaw stems from insufficient path validation and command sanitization during LLM tool calls, which PraisonAI performs. Attackers can exploit this by injecting specially crafted, malicious prompts through the PraisonAI chat interface. Successful exploitation grants an attacker the ability to write files to arbitrary locations on the filesystem and execute arbitrary shell commands with root privileges on the underlying system. This allows for full system compromise, including data exfiltration, service disruption, and the establishment of persistence. Defenders should prioritize patching this vulnerability immediately to prevent unauthorized access and control over affected PraisonAI instances.
Attack Chain
- Attacker identifies and gains access to a PraisonAI chat interface that uses the vulnerable AICoder component.
- Attacker crafts a malicious prompt incorporating specific directives designed to trigger an LLM tool call within PraisonAI.
- The crafted prompt contains either path traversal sequences (e.g.,
../) or shell metacharacters (e.g.,;,|,$(command)) embedded within the parameters for the LLM tool call. - PraisonAI's AICoder component processes the malicious prompt and attempts to execute the LLM tool call without performing proper input validation or command sanitization.
- Due to missing path validation, the crafted input allows the attacker to specify and write to arbitrary file system locations on the host system.
- Concurrently, due to missing command sanitization, the crafted input enables the attacker to inject and execute arbitrary shell commands.
- The injected shell commands are executed by the PraisonAI application process with root privileges, granting the attacker full control over the compromised system.
- Attacker leverages the root-level command execution capability for further actions, such as establishing persistence, exfiltrating sensitive data, or causing system disruption.
Impact
Successful exploitation of CVE-2026-61445 leads to critical consequences, as attackers gain the ability to write arbitrary files and execute commands with root privileges on the compromised system. This level of access allows for complete system compromise, enabling activities such as data theft, unauthorized system configuration changes, installation of backdoors for persistence, and disruption of services. While no specific victim counts or targeted sectors are detailed in the NVD, any organization utilizing PraisonAI versions before 4.6.78 is at risk of severe operational and data security breaches if this vulnerability is exploited.
Recommendation
- Patch CVE-2026-61445 by updating PraisonAI to version 4.6.78 or later immediately to remediate the arbitrary file write and command execution vulnerabilities.
- Implement web application firewall (WAF) rules to detect and block chat interface inputs containing suspicious shell metacharacters (e.g.,
;,|,&,$() or file path traversal attempts (e.g.,../,..\), specifically referenced in the Attack Chain. - Monitor application and system logs for unusual process creation originating from the PraisonAI application's user, especially the execution of shell interpreters (
sh,bash) or system utilities (wget,curl,chmod,chown) with root privileges, as detailed in the Attack Chain.