{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonaiagents--1.6.48/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonaiagents (\u003c= 1.6.48)"],"_cs_severities":["high"],"_cs_tags":["command-injection","llm-agent","imap","email","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA critical command injection vulnerability has been identified in the \u003ccode\u003epraisonaiagents\u003c/code\u003e package, affecting versions up to and including 1.6.48, developed by PraisonAI. This flaw stems from the improper sanitization of LLM-controlled parameters (such as \u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e, and \u003ccode\u003emessage_id\u003c/code\u003e) when constructing IMAP SEARCH commands. Attackers can leverage this by crafting malicious prompts that, when processed by an LLM agent configured with email tools, cause the agent to execute arbitrary IMAP commands on the backend mail server. This vulnerability, actively reported in June 2026, poses a significant risk to organizations using PraisonAI agents with email integration, potentially leading to sensitive data exfiltration, permanent email deletion, or denial-of-service by terminating IMAP sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing an IMAP command injection payload, such as a double-quote followed by an IMAP command (e.g., \u003ccode\u003e\u0026quot; LOGOUT\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn LLM agent, configured with \u003ccode\u003eEMAIL_ADDRESS\u003c/code\u003e and \u003ccode\u003eEMAIL_PASSWORD\u003c/code\u003e environment variables, processes the crafted prompt as part of its normal operation.\u003c/li\u003e\n\u003cli\u003eThe LLM agent calls an internal \u003ccode\u003epraisonaiagents\u003c/code\u003e tool function (e.g., \u003ccode\u003esearch_emails\u003c/code\u003e, \u003ccode\u003ereply_email\u003c/code\u003e, or \u003ccode\u003earchive_email\u003c/code\u003e) passing the malicious input as a parameter (e.g., \u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epraisonaiagents\u003c/code\u003e tool function dynamically constructs an IMAP \u003ccode\u003eSEARCH\u003c/code\u003e command by directly interpolating the unsanitized parameter into an f-string, allowing the attacker's double-quote to prematurely close the legitimate quoted string.\u003c/li\u003e\n\u003cli\u003eThe constructed IMAP command string, now containing an injected IMAP command (e.g., \u003ccode\u003eLOGOUT\u003c/code\u003e, \u003ccode\u003eSELECT INBOX\u003c/code\u003e, \u003ccode\u003eFETCH 1:* (BODY[])\u003c/code\u003e, \u003ccode\u003eDELETE 1:*\u003c/code\u003e, \u003ccode\u003eEXPUNGE\u003c/code\u003e), is sent by the \u003ccode\u003epraisonaiagents\u003c/code\u003e process to the configured IMAP server.\u003c/li\u003e\n\u003cli\u003eThe IMAP server receives the crafted command string, parses it, and executes both the legitimate \u003ccode\u003eSEARCH\u003c/code\u003e portion (if any) and the injected IMAP command.\u003c/li\u003e\n\u003cli\u003eThe injected IMAP command performs an unauthorized action on the IMAP server, such as terminating the IMAP session, switching to another mailbox, fetching email contents, modifying email flags, or deleting messages.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include exfiltrating sensitive email data, causing denial-of-service, or permanently deleting emails from the compromised mailbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers significant control over the configured IMAP mailbox. Attackers can terminate IMAP connections, causing a denial-of-service against the agent's email capabilities. More critically, arbitrary IMAP commands can be injected, allowing the attacker to enumerate mailboxes (LIST), switch to different folders (SELECT), fetch the contents of any email (FETCH), modify email flags (STORE), move emails (COPY/MOVE), or permanently delete emails (DELETE/EXPUNGE). This leads to unauthorized email data exfiltration from potentially all accessible mailboxes, or catastrophic data loss through permanent deletion of email archives. The attack specifically targets email-capable agents deployed with the documented \u003ccode\u003eEMAIL_ADDRESS\u003c/code\u003e and \u003ccode\u003eEMAIL_PASSWORD\u003c/code\u003e environment variables, indicating a direct threat to sensitive communications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u003ccode\u003epraisonaiagents\u003c/code\u003e package to a version greater than 1.6.48 (when available) or apply the recommended remediation of properly escaping double-quote characters or using IMAP literal syntax for all user-controlled parameters (\u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e, \u003ccode\u003emessage_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor IMAP server logs for suspicious commands, specifically looking for unexpected IMAP keywords (e.g., \u003ccode\u003eLOGOUT\u003c/code\u003e, \u003ccode\u003eSELECT\u003c/code\u003e, \u003ccode\u003eFETCH\u003c/code\u003e, \u003ccode\u003eDELETE\u003c/code\u003e, \u003ccode\u003eEXPUNGE\u003c/code\u003e) embedded within \u003ccode\u003eSEARCH\u003c/code\u003e criteria, as outlined in the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eEnsure IMAP server logging is enabled and captures full commands and arguments, which is essential to activate the Sigma rules in this brief.\u003c/li\u003e\n\u003cli\u003eRestrict the permissions of the IMAP account used by \u003ccode\u003epraisonaiagents\u003c/code\u003e to the bare minimum necessary for its operations (e.g., read-only access to specific folders).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:08:53Z","date_published":"2026-06-18T15:08:53Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/","summary":"A command injection vulnerability (CVE-NONE) exists in PraisonAI's `praisonaiagents` package (versions \u003c= 1.6.48) where unsanitized LLM-controlled parameters are directly interpolated into IMAP SEARCH commands, allowing attackers to craft malicious prompts to inject arbitrary IMAP commands, leading to unauthorized email exfiltration, deletion, or denial-of-service when email tools are configured.","title":"PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonaiagents (\u003c= 1.6.48)","version":"https://jsonfeed.org/version/1.1"}