{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/praisonai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-40315"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","praisonai","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a software application, contains a critical SQL injection vulnerability affecting nine of its conversation store backends, including MySQL, PostgreSQL, and others. The vulnerability stems from the improper handling of the \u003ccode\u003etable_prefix\u003c/code\u003e parameter, which is passed directly into SQL queries without adequate validation. Specifically, backends such as MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB are affected. In addition, the PostgreSQL backend is vulnerable due to the unvalidated \u003ccode\u003eschema\u003c/code\u003e parameter. This flaw allows an attacker to inject arbitrary SQL commands, potentially gaining unauthorized access to sensitive data. The incomplete fix for CVE-2026-40315 only addressed the SQLite backend, leaving other backends exposed. This vulnerability exists in PraisonAI versions 4.5.148 and earlier, as well as PraisonAI Agents versions 1.6.7 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PraisonAI instance where the \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e (PostgreSQL) parameter is derived from external input (e.g., API request, user-modifiable configuration).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e string containing SQL injection payload (e.g., \u0026ldquo;x\u0026rsquo;; DROP TABLE users; \u0026ndash;\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e via the vulnerable input vector.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI application receives the crafted \u003ccode\u003etable_prefix\u003c/code\u003e or \u003ccode\u003eschema\u003c/code\u003e and incorporates it into a dynamically generated SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected SQL commands are executed, potentially allowing them to read, modify, or delete data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, such as user credentials, financial information, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges, compromise other systems, or perform further malicious activities within the affected environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The attacker can read sensitive data, modify existing records, inject malicious code, or even drop entire tables. This can result in significant data loss, financial damage, and reputational harm for affected organizations. This vulnerability is exploitable in any deployment where the \u003ccode\u003etable_prefix\u003c/code\u003e is derived from external input, such as in multi-tenant setups or API-driven configurations. The PostgreSQL \u003ccode\u003eschema\u003c/code\u003e parameter provides an additional injection point, further expanding the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003etable_prefix\u003c/code\u003e parameter in all database backends, mirroring the fix implemented for \u003ccode\u003esqlite.py\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eschema\u003c/code\u003e parameter in the PostgreSQL backend, as noted in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Table Prefix\u003c/code\u003e to detect attempts to exploit this vulnerability in MySQL and PostgreSQL backends, as detailed below.\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version that includes proper input validation for \u003ccode\u003etable_prefix\u003c/code\u003e and \u003ccode\u003eschema\u003c/code\u003e parameters, targeting versions later than 4.5.148 for PraisonAI and later than 1.6.7 for PraisonAI Agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-praisonai-sqli/","summary":"PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.","title":"PraisonAI Multiple Backends Vulnerable to SQL Injection via Unvalidated Table Prefix","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40289"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40289","websocket","remote-code-execution","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent team system, is affected by a critical vulnerability (CVE-2026-40289) in versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. The vulnerability lies in the browser bridge component (\u0026ldquo;praisonai browser start\u0026rdquo;), which lacks proper authentication and has a bypassable origin check on its /ws WebSocket endpoint. The server, binding to 0.0.0.0 by default, inadequately validates the Origin header, permitting connections from non-browser clients omitting this header. This flaw allows an unauthenticated attacker to remotely hijack sessions and broadcast automation actions and outputs. This can lead to unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions. Defenders must prioritize patching affected systems to mitigate this severe risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PraisonAI instance with network access to the browser bridge component.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a direct WebSocket connection to the /ws endpoint of the browser bridge, omitting the Origin header to bypass the weak origin check.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u0026ldquo;start_session\u0026rdquo; message to the WebSocket endpoint.\u003c/li\u003e\n\u003cli\u003eThe server routes the attacker\u0026rsquo;s \u0026ldquo;start_session\u0026rdquo; request to the first idle browser-extension WebSocket, effectively hijacking that session.\u003c/li\u003e\n\u003cli\u003eThe hijacked browser session begins executing commands dictated by the attacker.\u003c/li\u003e\n\u003cli\u003eAll automation actions and outputs resulting from the hijacked session are broadcast back to the attacker via the WebSocket connection.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized remote control of the connected browser automation session.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data and/or misuses model-backed browser actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40289 can lead to complete compromise of PraisonAI browser automation sessions. An attacker can gain unauthorized remote control, potentially leading to leakage of sensitive page context and automation results. Furthermore, they can misuse model-backed browser actions. The vulnerability affects all environments where the bridge is network-reachable. The severity of the impact is high, as it allows for unauthenticated remote code execution within the context of the PraisonAI browser extension.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.139 or later, and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40289.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the /ws endpoint on PraisonAI servers (logsource category: network_connection, product: windows/linux).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious websocket connections without origin header (see rule below).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit network access to the PraisonAI browser bridge component.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:18:47Z","date_published":"2026-04-14T04:18:47Z","id":"/briefs/2026-04-praisonai-rce/","summary":"PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on the /ws WebSocket endpoint, enabling unauthorized remote control and data leakage.","title":"PraisonAI Unauthenticated Remote Session Hijacking Vulnerability (CVE-2026-40289)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40287"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["praisonai","code-execution","cve-2026-40287"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is vulnerable to arbitrary code execution in versions 4.5.138 and below. The vulnerability stems from the automatic and unsanitized import of a \u003ccode\u003etools.py\u003c/code\u003e file from the current working directory during application startup. Specifically, components like \u003ccode\u003ecall.py\u003c/code\u003e (via \u003ccode\u003eimport_tools_from_file()\u003c/code\u003e), \u003ccode\u003etool_resolver.py\u003c/code\u003e (via \u003ccode\u003e_load_local_tools()\u003c/code\u003e), and command-line tool loading paths directly import \u003ccode\u003e./tools.py\u003c/code\u003e without validation, sandboxing, or user confirmation. An attacker capable of placing a malicious \u003ccode\u003etools.py\u003c/code\u003e file within the directory where PraisonAI is launched can achieve immediate, arbitrary Python code execution on the host system. This can occur through shared projects, cloned repositories, or writable workspaces. Successful exploitation allows complete control over the PraisonAI process, the host system, and any associated data or credentials. Users are advised to upgrade to version 4.5.139 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PraisonAI instance running version 4.5.138 or below.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Python script named \u003ccode\u003etools.py\u003c/code\u003e containing arbitrary code.\u003c/li\u003e\n\u003cli\u003eAttacker gains write access to the directory where PraisonAI is launched. This could be through a compromised shared project, a writable workspace, or other means of file upload.\u003c/li\u003e\n\u003cli\u003eAttacker places the malicious \u003ccode\u003etools.py\u003c/code\u003e file into the PraisonAI launch directory.\u003c/li\u003e\n\u003cli\u003ePraisonAI is started or restarted, automatically importing and executing the attacker\u0026rsquo;s \u003ccode\u003etools.py\u003c/code\u003e file. The \u003ccode\u003ecall.py\u003c/code\u003e or \u003ccode\u003etool_resolver.py\u003c/code\u003e components trigger the import process.\u003c/li\u003e\n\u003cli\u003eThe malicious code in \u003ccode\u003etools.py\u003c/code\u003e executes within the context of the PraisonAI process.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the host system, escalating privileges as needed.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised system to steal data, install malware, or pivot to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on systems running vulnerable versions of PraisonAI. This can lead to complete system compromise, data theft, and potential lateral movement within the network. The vulnerability affects all users of PraisonAI versions 4.5.138 and below. The impact of this vulnerability is high due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.139 or later to patch CVE-2026-40287.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on the PraisonAI installation directory to prevent unauthorized file creation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious file creation events in PraisonAI working directories.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running PraisonAI to detect unexpected Python code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:18:15Z","date_published":"2026-04-14T04:18:15Z","id":"/briefs/2026-04-praisonai-code-exec/","summary":"PraisonAI versions 4.5.138 and below are vulnerable to arbitrary code execution due to the unsanitized import of a malicious tools.py file, leading to potential system compromise.","title":"PraisonAI Arbitrary Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-code-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["praisonai","rce","yaml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI is vulnerable to remote code execution via specially crafted YAML files. The vulnerability stems from the \u003ccode\u003epraisonai workflow run \u0026lt;file.yaml\u0026gt;\u003c/code\u003e command, which, when processing YAML files with \u003ccode\u003etype: job\u003c/code\u003e, executes steps through the \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e. This execution path supports shell command execution via \u003ccode\u003esubprocess.run()\u003c/code\u003e, inline Python execution via \u003ccode\u003eexec()\u003c/code\u003e, and arbitrary Python script execution. An attacker can leverage this to inject malicious code into a YAML file, such as \u003ccode\u003eexploit.yaml\u003c/code\u003e, to achieve arbitrary host command execution. Versions of \u003ccode\u003epip/praisonaiagents\u003c/code\u003e up to and including 1.5.139 and \u003ccode\u003epip/PraisonAI\u003c/code\u003e up to and including 4.5.138 are affected. This is especially critical in CI/CD environments or shared deployment contexts where untrusted YAML files may be processed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML file (e.g., \u003ccode\u003eexploit.yaml\u003c/code\u003e) containing commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where PraisonAI is installed and can execute the \u003ccode\u003epraisonai\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command \u003ccode\u003epraisonai workflow run exploit.yaml\u003c/code\u003e, pointing to the malicious YAML file.\u003c/li\u003e\n\u003cli\u003ePraisonAI parses the YAML file and identifies the \u003ccode\u003etype: job\u003c/code\u003e directive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e is invoked to process the workflow steps.\u003c/li\u003e\n\u003cli\u003eWithin the workflow steps, commands specified using \u003ccode\u003erun:\u003c/code\u003e, \u003ccode\u003escript:\u003c/code\u003e, or \u003ccode\u003epython:\u003c/code\u003e directives are executed. Specifically, \u003ccode\u003e_exec_shell()\u003c/code\u003e executes shell commands, \u003ccode\u003e_exec_inline_python()\u003c/code\u003e executes inline Python, and \u003ccode\u003e_exec_python_script()\u003c/code\u003e executes Python scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, performing actions such as writing files (e.g., \u003ccode\u003epwned.txt\u003c/code\u003e) or executing arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host system, leading to potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epip/praisonaiagents\u003c/code\u003e and \u003ccode\u003epip/PraisonAI\u003c/code\u003e to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the \u003ccode\u003etype: job\u003c/code\u003e directive to prevent execution of arbitrary commands and code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Workflow Execution with Suspicious YAML\u0026rdquo; to your SIEM to detect potential exploitation attempts, based on log source \u003ccode\u003eprocess_creation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T19:32:48Z","date_published":"2026-04-10T19:32:48Z","id":"/briefs/2024-01-03-praisonai-rce/","summary":"PraisonAI is vulnerable to remote code execution; loading untrusted YAML files with `type: job` can lead to arbitrary host command execution, potentially enabling full system compromise.","title":"PraisonAI Remote Code Execution via Malicious Workflow YAML","url":"https://feed.craftedsignal.io/briefs/2024-01-03-praisonai-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI is vulnerable to remote code execution due to a misconfiguration in the Chainlit UI modules (\u003ccode\u003echat.py\u003c/code\u003e and \u003ccode\u003ecode.py\u003c/code\u003e). Specifically, the application hardcodes \u003ccode\u003econfig.approval_mode = \u0026quot;auto\u0026quot;\u003c/code\u003e, effectively disabling the intended human-in-the-loop approval mechanism for ACP tool executions, even when administrators configure the application to require manual approval. This override occurs after the application loads administrator configurations from the \u003ccode\u003ePRAISON_APPROVAL_MODE\u003c/code\u003e environment variable. Consequently, an authenticated user, including those using default credentials, can instruct the LLM agent to execute arbitrary single-command shell operations on the server without any approval prompt, subject only to the PraisonAI process’s OS-level permissions. The vulnerability affects PraisonAI versions prior to 4.5.128.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the PraisonAI UI using valid credentials (default admin/admin if unchanged).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a chat message that instructs the LLM agent to execute a shell command via the \u003ccode\u003eacp_execute_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe LLM agent parses the message and prepares the command for execution.\u003c/li\u003e\n\u003cli\u003eDue to the hardcoded \u003ccode\u003eapproval_mode = \u0026quot;auto\u0026quot;\u003c/code\u003e in \u003ccode\u003echat.py\u003c/code\u003e or \u003ccode\u003ecode.py\u003c/code\u003e, the command bypasses the intended approval process in \u003ccode\u003eagent_tools.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.run()\u003c/code\u003e function in \u003ccode\u003eaction_orchestrator.py\u003c/code\u003e executes the attacker-controlled command with \u003ccode\u003eshell=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command executes with the permissions of the PraisonAI process.\u003c/li\u003e\n\u003cli\u003eThe result of the command execution is returned to the attacker via the chat interface.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to achieve code execution, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated user to execute arbitrary shell commands on the server hosting PraisonAI. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eConfidentiality breach:\u003c/strong\u003e Read sensitive files accessible to the process (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application secrets).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIntegrity compromise:\u003c/strong\u003e Modify or delete files, install backdoors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAvailability impact:\u003c/strong\u003e Kill processes, consume resources, delete data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator control undermined:\u003c/strong\u003e The hardcoded \u003ccode\u003eapproval_mode\u003c/code\u003e silently overrides administrator-configured settings, creating a false sense of security.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrompt injection vector:\u003c/strong\u003e Malicious content could trigger command execution through auto-approved tools without direct user intent, especially through external sources like web searches or uploaded files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe vulnerable versions are PraisonAI versions prior to 4.5.128.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade PraisonAI:\u003c/strong\u003e Upgrade to version 4.5.128 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApply Code-Level Fix:\u003c/strong\u003e If upgrading is not immediately feasible, manually remove the hardcoded override in \u003ccode\u003echat.py\u003c/code\u003e and \u003ccode\u003ecode.py\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Allowlisting:\u003c/strong\u003e Strengthen command sanitization by implementing an allowlist approach instead of a blocklist in the \u003ccode\u003e_sanitize_command()\u003c/code\u003e function as described in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Process Creation:\u003c/strong\u003e Deploy the Sigma rule \u0026ldquo;Detect Suspicious PraisonAI Command Execution\u0026rdquo; to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Network Connections:\u003c/strong\u003e Deploy the Sigma rule \u0026ldquo;Detect Suspicious Outbound Connection from PraisonAI\u0026rdquo; to identify potential data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Authentication:\u003c/strong\u003e Ensure strong passwords are in use and consider multi-factor authentication to mitigate risks from compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T19:25:49Z","date_published":"2026-04-10T19:25:49Z","id":"/briefs/2024-01-09-praisonai-rce/","summary":"A vulnerability in PraisonAI allows authenticated users to execute arbitrary shell commands due to a hardcoded approval setting in the Chainlit UI modules, overriding administrator configurations and bypassing intended approval gates; insufficient command sanitization allows for destructive command execution, leading to confidentiality breach, integrity compromise, and availability impact on the server.","title":"PraisonAI UI Hardcoded Approval Mode Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-09-praisonai-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-40114"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","praisonai","cve-2026-40114","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability affecting versions prior to 4.5.128. The vulnerability resides in the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint, which accepts a \u003ccode\u003ewebhook_url\u003c/code\u003e parameter in the request body without proper validation. This allows an unauthenticated attacker to specify an arbitrary URL, causing the PraisonAI server to send an HTTP POST request to that URL upon job completion. This flaw enables attackers to target internal services, cloud metadata endpoints, and other network-adjacent resources, potentially leading to information disclosure, privilege escalation, or denial-of-service. Organizations using affected versions of PraisonAI should upgrade to version 4.5.128 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a PraisonAI instance running a version prior to 4.5.128.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ewebhook_url\u003c/code\u003e parameter containing a URL pointing to an internal service, cloud metadata endpoint, or external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server receives the request and queues a job.\u003c/li\u003e\n\u003cli\u003eThe job completes (either successfully or with an error).\u003c/li\u003e\n\u003cli\u003eUpon completion, the server, using \u003ccode\u003ehttpx.AsyncClient\u003c/code\u003e, initiates an HTTP POST request to the URL specified in the \u003ccode\u003ewebhook_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ewebhook_url\u003c/code\u003e points to an internal service, the attacker can potentially access sensitive information or trigger actions within that service.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ewebhook_url\u003c/code\u003e points to a cloud metadata endpoint, the attacker can retrieve cloud credentials or configuration details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an unauthenticated attacker to force the PraisonAI server to make arbitrary HTTP POST requests. This can lead to the exposure of sensitive information from internal services or cloud metadata, potentially granting the attacker unauthorized access to systems and data. The vulnerability could also be leveraged to perform denial-of-service attacks against internal resources. While the exact number of affected organizations is unknown, any organization running a vulnerable version of PraisonAI is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI instances to version 4.5.128 or later to remediate CVE-2026-40114.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to the \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint containing suspicious \u003ccode\u003ewebhook_url\u003c/code\u003e parameters to detect potential exploitation attempts. Deploy the Sigma rule to detect suspicious webhook URLs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected outbound connections originating from the PraisonAI server to internal or external destinations, as this could indicate SSRF exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:35Z","date_published":"2026-04-09T22:16:35Z","id":"/briefs/2024-01-praisonai-ssrf/","summary":"PraisonAI versions prior to 4.5.128 are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of URL validation on the webhook_url parameter in the /api/v1/runs endpoint, allowing unauthenticated attackers to send arbitrary POST requests from the server.","title":"PraisonAI SSRF Vulnerability via Unvalidated Webhook URL","url":"https://feed.craftedsignal.io/briefs/2024-01-praisonai-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-40088"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40088","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to OS command injection in versions prior to 4.5.121. The vulnerability, identified as CVE-2026-40088, stems from the \u003ccode\u003eexecute_command\u003c/code\u003e function and workflow shell execution, which improperly handles user-controlled input. Attackers can inject arbitrary shell commands through shell metacharacters via agent workflows, YAML definitions, and LLM-generated tool calls. This can lead to complete system compromise. It is critical to upgrade to version 4.5.121 or later to remediate this vulnerability. The CVSS v3.1 base score for this vulnerability is 9.6, indicating a critical severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML definition or workflow for PraisonAI.\u003c/li\u003e\n\u003cli\u003eThis crafted input contains shell metacharacters designed to inject arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe user (victim) imports or executes the attacker-supplied YAML or workflow within PraisonAI.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecute_command\u003c/code\u003e function processes the input without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands are executed by the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution privileges on the PraisonAI server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform lateral movement, data exfiltration, or system compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker can further leverage the compromised system to target other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40088 allows an attacker to execute arbitrary commands on the PraisonAI server. This can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. The severity of this vulnerability is rated as critical with a CVSS v3.1 score of 9.6. This could affect any organization using PraisonAI versions prior to 4.5.121.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI to version 4.5.121 or later to patch CVE-2026-40088.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data processed by the \u003ccode\u003eexecute_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor PraisonAI logs for suspicious command execution patterns after upgrading.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions of the PraisonAI service account to minimize the impact of successful command injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:27Z","date_published":"2026-04-09T20:16:27Z","id":"/briefs/2026-04-praisonai-command-injection/","summary":"PraisonAI versions prior to 4.5.121 are vulnerable to OS command injection, allowing attackers to execute arbitrary shell commands via user-controlled input in agent workflows, YAML definitions, and LLM-generated tool calls.","title":"PraisonAI OS Command Injection Vulnerability (CVE-2026-40088)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI versions prior to 4.5.121 are susceptible to OS command injection. The vulnerability stems from the application\u0026rsquo;s use of \u003ccode\u003esubprocess.run()\u003c/code\u003e with the \u003ccode\u003eshell=True\u003c/code\u003e parameter when executing commands derived from various user-controlled inputs. These inputs include YAML workflow definitions, agent configuration files (agents.yaml), LLM-generated tool call parameters, and recipe step configurations. This configuration allows an attacker to inject arbitrary shell commands through shell metacharacters, leading to potential remote code execution and system compromise. This vulnerability is particularly concerning in automated environments like CI/CD pipelines or agent workflows, where unintended command execution can occur without direct user awareness.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML workflow definition or modifies an existing one, injecting shell metacharacters into the \u003ccode\u003etarget\u003c/code\u003e field of a \u003ccode\u003eshell\u003c/code\u003e step.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eagents.yaml\u003c/code\u003e file, injecting malicious commands into the \u003ccode\u003eshell_command\u003c/code\u003e field of an agent task.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the crafted YAML workflow or loads the modified \u003ccode\u003eagents.yaml\u003c/code\u003e file using PraisonAI\u0026rsquo;s command-line interface.\u003c/li\u003e\n\u003cli\u003ePraisonAI parses the YAML file and extracts the attacker-controlled command string.\u003c/li\u003e\n\u003cli\u003eThe application then passes this command string to \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e, allowing the shell to interpret the injected metacharacters.\u003c/li\u003e\n\u003cli\u003eThe shell executes the attacker\u0026rsquo;s injected commands, potentially performing actions like reading sensitive files, exfiltrating data, or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eIf using agent mode, an attacker can influence the LLM\u0026rsquo;s context to generate malicious tool calls including shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with the privileges of the PraisonAI process, leading to system compromise or data breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary shell commands on the affected system. This can lead to a variety of negative consequences, including unauthorized access to sensitive data (such as configuration files, credentials, or user data), modification or deletion of system files, and potentially full system compromise. In automated environments like CI/CD pipelines, this vulnerability could allow an attacker to inject malicious code into software builds, leading to supply chain attacks. The vulnerability affects versions of PraisonAI prior to 4.5.121.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Command Injection via Workflow\u0026rdquo; to identify attempts to exploit this vulnerability through malicious YAML workflow definitions (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Command Injection via Agent Configuration\u0026rdquo; to identify attempts to exploit this vulnerability through malicious agent configurations (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003eattacker.com\u003c/code\u003e listed in the IOC table at the DNS resolver to prevent data exfiltration and command-and-control communication (type: \u003ccode\u003edomain\u003c/code\u003e, value: \u003ccode\u003eattacker.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.121 or later to patch this vulnerability (Affected Packages).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T21:52:10Z","date_published":"2026-04-08T21:52:10Z","id":"/briefs/2024-02-29-praisonai-command-injection/","summary":"PraisonAI is vulnerable to OS command injection due to the use of `subprocess.run()` with `shell=True` on user-controlled inputs, allowing attackers to inject arbitrary shell commands and potentially leading to sensitive data exfiltration or system compromise in versions prior to 4.5.121.","title":"PraisonAI Vulnerable to OS Command Injection","url":"https://feed.craftedsignal.io/briefs/2024-02-29-praisonai-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-34937"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-34937","os command injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to an OS command injection vulnerability affecting versions prior to 1.5.90. The vulnerability, identified as CVE-2026-34937, stems from the \u003ccode\u003erun_python()\u003c/code\u003e function\u0026rsquo;s construction of shell command strings. This function interpolates user-controlled code into a \u003ccode\u003epython3 -c \u0026quot;\u0026lt;code\u0026gt;\u0026quot;\u003c/code\u003e command and executes it using \u003ccode\u003esubprocess.run(..., shell=True)\u003c/code\u003e. The inadequate escaping logic, specifically the failure to escape \u003ccode\u003e$()\u003c/code\u003e and backtick substitutions, enables arbitrary OS command execution prior to Python\u0026rsquo;s invocation. Users of PraisonAI are urged to upgrade to version 1.5.90 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of PraisonAI running a version prior to 1.5.90.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious code containing OS command injection payloads using \u003ccode\u003e$()\u003c/code\u003e or backticks.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious code into a parameter or input field that is processed by the \u003ccode\u003erun_python()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_python()\u003c/code\u003e function constructs the shell command string, interpolating the attacker\u0026rsquo;s malicious code without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.run()\u003c/code\u003e function executes the crafted shell command with \u003ccode\u003eshell=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s OS command is executed on the host system with the privileges of the PraisonAI application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system, potentially enabling data exfiltration, system modification, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34937) allows an attacker to execute arbitrary OS commands on the system running PraisonAI. This could lead to complete system compromise, data breaches, or denial of service. The severity is high because it allows unauthenticated or low-privileged users to gain complete control of the system. Organizations using affected versions of PraisonAI are at risk of significant data loss and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI to version 1.5.90 or later to patch CVE-2026-34937.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI OS Command Injection Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of unexpected processes originating from the PraisonAI application to detect post-exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:06Z","date_published":"2026-04-03T23:17:06Z","id":"/briefs/2026-04-praisonai-os-command-injection/","summary":"PraisonAI versions prior to 1.5.90 are vulnerable to OS Command Injection (CVE-2026-34937) due to insufficient escaping in the run_python() function, allowing arbitrary OS command execution via shell interpolation.","title":"PraisonAI OS Command Injection Vulnerability (CVE-2026-34937)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-os-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s \u003ccode\u003eSubprocessSandbox\u003c/code\u003e, even in STRICT mode, is vulnerable to a sandbox escape. The vulnerability arises from the use of \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e in \u003ccode\u003esandbox_executor.py\u003c/code\u003e, coupled with an insufficient blocklist that fails to include \u003ccode\u003esh\u003c/code\u003e and \u003ccode\u003ebash\u003c/code\u003e as standalone executables. This oversight allows attackers to bypass the intended command restrictions by executing arbitrary commands through \u003ccode\u003esh -c '\u0026lt;command\u0026gt;'\u003c/code\u003e.  Versions of PraisonAI up to 4.5.96 are affected. This means that any command blocked by the configured policy can be trivially executed, which could allow agent prompt injection attacks to lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious command to be executed within the PraisonAI environment.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI application receives the crafted command and attempts to execute it within the \u003ccode\u003eSubprocessSandbox\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSubprocessSandbox\u003c/code\u003e uses \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e to execute the provided command.\u003c/li\u003e\n\u003cli\u003eThe blocklist in \u003ccode\u003esandbox_executor.py\u003c/code\u003e fails to block the \u003ccode\u003esh\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e commands themselves.\u003c/li\u003e\n\u003cli\u003eThe attacker injects shell commands via \u003ccode\u003esh -c '\u0026lt;blocked_command\u0026gt;'\u003c/code\u003e, bypassing the string-pattern matching intended to restrict execution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh\u003c/code\u003e process executes the attacker\u0026rsquo;s command within the sandbox\u0026rsquo;s context, bypassing the intended security restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources such as network connections, the filesystem, or cloud metadata services.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and potentially compromises the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the intended security restrictions imposed by the PraisonAI \u003ccode\u003eSubprocessSandbox\u003c/code\u003e, even in its strictest configuration. This could lead to privilege escalation, unauthorized access to sensitive data, and the potential compromise of the entire system. Specifically, an attacker could leverage this escape to access network resources, manipulate the filesystem, or extract sensitive information from cloud metadata services. The lack of effective sandboxing could have severe consequences for environments relying on PraisonAI for secure execution of untrusted code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix of using \u003ccode\u003eshlex.split()\u003c/code\u003e and \u003ccode\u003eshell=False\u003c/code\u003e when calling \u003ccode\u003esubprocess.run()\u003c/code\u003e to prevent shell command injection (reference: suggested fix code block).\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version beyond 4.5.96 to incorporate the patch for CVE-2026-34955 (reference: CVE-2026-34955).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the execution of \u003ccode\u003esh\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e with the \u003ccode\u003e-c\u003c/code\u003e option, which is indicative of attempts to bypass command restrictions (reference: Sigma rule \u0026ldquo;Detect sh/bash Command Execution with -c Option\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a more comprehensive blocklist that includes \u003ccode\u003esh\u003c/code\u003e and \u003ccode\u003ebash\u003c/code\u003e as standalone executables in addition to dangerous patterns (reference: \u003ccode\u003esandbox_executor.py:179\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T23:26:01Z","date_published":"2026-04-01T23:26:01Z","id":"/briefs/2024-01-03-praisonai-sandbox-escape/","summary":"PraisonAI's SubprocessSandbox allows attackers to bypass command restrictions due to the use of `shell=True` in `subprocess.run()` combined with an insufficient blocklist that does not include `sh` or `bash`, enabling command execution via `sh -c '\u003ccommand\u003e'`.","title":"PraisonAI SubprocessSandbox Shell Escape via sh/bash","url":"https://feed.craftedsignal.io/briefs/2024-01-03-praisonai-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","praisonai","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI versions 4.5.89 and earlier are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-34936) due to insufficient validation of the \u003ccode\u003eapi_base\u003c/code\u003e parameter within the \u003ccode\u003epassthrough()\u003c/code\u003e function. This flaw allows an attacker to control the base URL used in HTTP requests, enabling them to target internal services, external hosts, or cloud metadata endpoints. The vulnerability arises because the \u003ccode\u003eapi_base\u003c/code\u003e parameter is directly concatenated with the \u003ccode\u003eendpoint\u003c/code\u003e parameter and passed to \u003ccode\u003ehttpx.Client.request()\u003c/code\u003e without any sanitization. This is triggered in the \u003ccode\u003epassthrough()\u003c/code\u003e function if the \u003ccode\u003elitellm\u003c/code\u003e primary path raises an \u003ccode\u003eAttributeError\u003c/code\u003e. This allows attackers to bypass intended access controls and potentially retrieve sensitive information or trigger unintended actions within the PraisonAI server\u0026rsquo;s network. The vulnerability was reported on April 1, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PraisonAI instance running a vulnerable version (\u0026lt;= 4.5.89).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003epassthrough()\u003c/code\u003e function, providing a crafted \u003ccode\u003eapi_base\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003eapi_base\u003c/code\u003e contains the address of an internal service (e.g., Redis, Elasticsearch, Kubernetes API) or the EC2 metadata service (\u003ccode\u003ehttp://169.254.169.254\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn \u003ccode\u003eAttributeError\u003c/code\u003e is triggered in the \u003ccode\u003elitellm\u003c/code\u003e primary path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epassthrough()\u003c/code\u003e function, within \u003ccode\u003epassthrough.py\u003c/code\u003e, concatenates the attacker-controlled \u003ccode\u003eapi_base\u003c/code\u003e with the specified \u003ccode\u003eendpoint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe resulting URL is then passed to \u003ccode\u003ehttpx.Client.request()\u003c/code\u003e, making an HTTP request to the attacker-specified destination.\u003c/li\u003e\n\u003cli\u003eIf targeting the EC2 metadata service, the attacker can retrieve IAM credentials associated with the instance.\u003c/li\u003e\n\u003cli\u003eIf targeting internal services, the attacker can potentially access sensitive data or perform unauthorized actions, due to the default \u003ccode\u003eAUTH_ENABLED = False\u003c/code\u003e setting.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to serious consequences. On cloud infrastructure, attackers can steal IAM credentials from the EC2 metadata service (IMDSv1), potentially gaining control over the entire AWS account. Internal services within the VPC, such as Redis, Elasticsearch, and Kubernetes API, become accessible without authentication, as the Flask API server deploys with \u003ccode\u003eAUTH_ENABLED = False\u003c/code\u003e by default. This can lead to data breaches, service disruptions, or further lateral movement within the internal network. This vulnerability affects deployments of PraisonAI version 4.5.89 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to a version greater than 4.5.89 to patch CVE-2026-34936.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eapi_base\u003c/code\u003e parameter within the \u003ccode\u003epassthrough()\u003c/code\u003e function to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eIf running on AWS, disable IMDSv1 and migrate to IMDSv2 to mitigate the risk of IAM credential theft.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to internal services from the PraisonAI server.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to exploit the SSRF vulnerability by monitoring for connections to the EC2 metadata service or the local loopback address.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T23:22:44Z","date_published":"2026-04-01T23:22:44Z","id":"/briefs/2026-04-praisonai-ssrf/","summary":"PraisonAI versions 4.5.89 and earlier are vulnerable to SSRF via the `api_base` parameter in the `passthrough()` function, allowing attackers to make requests to internal services or external hosts, potentially leading to IAM credential theft on cloud infrastructure or access to internal services within the VPC.","title":"PraisonAI SSRF Vulnerability via Unvalidated api_base Parameter","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Praisonai","version":"https://jsonfeed.org/version/1.1"}