{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-all-versions-before-1.6.78/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-61447"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (All versions before 1.6.78)"],"_cs_severities":["critical"],"_cs_tags":["remote-code-execution","prompt-injection","llm","ai","vulnerability"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA critical remote code execution vulnerability, identified as CVE-2026-61447, exists in PraisonAI versions prior to 1.6.78. This flaw resides within the \u003ccode\u003eCodeAgent._execute_python()\u003c/code\u003e function, which is responsible for executing Python code generated by the LLM. The vulnerability stems from a lack of Abstract Syntax Tree (AST) validation, import restrictions, and sandbox enforcement during code execution. Threat actors can exploit this by crafting malicious prompts, leveraging prompt injection techniques to influence the LLM's output and embed arbitrary Python commands into the generated code. When \u003ccode\u003eCodeAgent._execute_python()\u003c/code\u003e executes this tainted code, it grants the attacker full control over the host system, enabling sensitive actions such as environment secret exfiltration and arbitrary code execution. This poses a significant risk to organizations using affected PraisonAI deployments, as it allows unauthorized access and data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a specially designed malicious prompt incorporating injection techniques.\u003c/li\u003e\n\u003cli\u003eThe malicious prompt is submitted to the PraisonAI CodeAgent.\u003c/li\u003e\n\u003cli\u003ePraisonAI's underlying Large Language Model (LLM) processes the injected prompt.\u003c/li\u003e\n\u003cli\u003eThe LLM generates Python code that includes attacker-controlled commands, influenced by the prompt injection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCodeAgent._execute_python()\u003c/code\u003e function is invoked to execute the LLM-generated Python code.\u003c/li\u003e\n\u003cli\u003eDue to the absence of AST validation, import restrictions, and sandbox enforcement, the arbitrary Python code is executed directly on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling actions such as exfiltrating environment secrets or deploying additional malicious payloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61447 leads to complete compromise of the host system running PraisonAI. Attackers gain the ability to execute arbitrary code with the privileges of the PraisonAI process, allowing them to exfiltrate all environment secrets, access sensitive data, install malware, or establish persistent backdoors. The broad scope of arbitrary code execution means that the impact can range from data theft to full system control, potentially affecting an organization's intellectual property, customer data, and operational integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61447 immediately by updating PraisonAI to version 1.6.78 or higher to address the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization specifically for LLM prompts to mitigate prompt injection risks for applications using the \u003ccode\u003eCodeAgent._execute_python()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eEnsure that any environment executing LLM-generated code, especially via components like \u003ccode\u003eCodeAgent._execute_python()\u003c/code\u003e, operates within a tightly controlled sandbox with minimal privileges and strict network egress rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T14:19:32Z","date_published":"2026-07-11T14:19:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61447-praisonai-rce/","summary":"Attackers can exploit CVE-2026-61447, a critical remote code execution vulnerability in PraisonAI versions before 1.6.78, by using prompt injection to manipulate LLM-generated Python code, leading to arbitrary code execution and exfiltration of environment secrets on the host system.","title":"CVE-2026-61447 PraisonAI Remote Code Execution Vulnerability via Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61447-praisonai-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - PraisonAI (All Versions Before 1.6.78)","version":"https://jsonfeed.org/version/1.1"}