Attack Chain

1. An attacker identifies a PraisonAI instance where the table_prefix or schema (PostgreSQL) parameter is derived from external input (e.g., API request, user-modifiable configuration).
2. The attacker crafts a malicious table_prefix or schema string containing SQL injection payload (e.g., “x’; DROP TABLE users; –”).
3. The attacker injects the malicious table_prefix or schema via the vulnerable input vector.
4. The PraisonAI application receives the crafted table_prefix or schema and incorporates it into a dynamically generated SQL query without proper sanitization.
5. The application executes the malicious SQL query against the database.
6. The attacker’s injected SQL commands are executed, potentially allowing them to read, modify, or delete data within the database.
7. The attacker gains unauthorized access to sensitive data, such as user credentials, financial information, or other confidential data.
8. The attacker may escalate privileges, compromise other systems, or perform further malicious activities within the affected environment.

Impact

Successful exploitation of this vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The attacker can read sensitive data, modify existing records, inject malicious code, or even drop entire tables. This can result in significant data loss, financial damage, and reputational harm for affected organizations. This vulnerability is exploitable in any deployment where the table_prefix is derived from external input, such as in multi-tenant setups or API-driven configurations. The PostgreSQL schema parameter provides an additional injection point, further expanding the attack surface.

Recommendation

• Apply input validation and sanitization to the table_prefix parameter in all database backends, mirroring the fix implemented for sqlite.py as described in the overview.
• Apply input validation and sanitization to the schema parameter in the PostgreSQL backend, as noted in the overview.
• Deploy the Sigma rule Detect Malicious Table Prefix to detect attempts to exploit this vulnerability in MySQL and PostgreSQL backends, as detailed below.
• Upgrade PraisonAI to a version that includes proper input validation for table_prefix and schema parameters, targeting versions later than 4.5.148 for PraisonAI and later than 1.6.7 for PraisonAI Agents.

Attack Chain

1. Attacker identifies a vulnerable PraisonAI instance with network access to the browser bridge component.
2. Attacker establishes a direct WebSocket connection to the /ws endpoint of the browser bridge, omitting the Origin header to bypass the weak origin check.
3. Attacker sends a “start_session” message to the WebSocket endpoint.
4. The server routes the attacker’s “start_session” request to the first idle browser-extension WebSocket, effectively hijacking that session.
5. The hijacked browser session begins executing commands dictated by the attacker.
6. All automation actions and outputs resulting from the hijacked session are broadcast back to the attacker via the WebSocket connection.
7. Attacker gains unauthorized remote control of the connected browser automation session.
8. Attacker exfiltrates sensitive data and/or misuses model-backed browser actions.

Impact

Successful exploitation of CVE-2026-40289 can lead to complete compromise of PraisonAI browser automation sessions. An attacker can gain unauthorized remote control, potentially leading to leakage of sensitive page context and automation results. Furthermore, they can misuse model-backed browser actions. The vulnerability affects all environments where the bridge is network-reachable. The severity of the impact is high, as it allows for unauthenticated remote code execution within the context of the PraisonAI browser extension.

Recommendation

• Upgrade PraisonAI to version 4.5.139 or later, and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40289.
• Monitor network connections to the /ws endpoint on PraisonAI servers (logsource category: network_connection, product: windows/linux).
• Deploy the Sigma rule to detect suspicious websocket connections without origin header (see rule below).
• Implement network segmentation to limit network access to the PraisonAI browser bridge component.

Attack Chain

1. Attacker identifies a vulnerable PraisonAI instance running version 4.5.138 or below.
2. Attacker crafts a malicious Python script named tools.py containing arbitrary code.
3. Attacker gains write access to the directory where PraisonAI is launched. This could be through a compromised shared project, a writable workspace, or other means of file upload.
4. Attacker places the malicious tools.py file into the PraisonAI launch directory.
5. PraisonAI is started or restarted, automatically importing and executing the attacker’s tools.py file. The call.py or tool_resolver.py components trigger the import process.
6. The malicious code in tools.py executes within the context of the PraisonAI process.
7. Attacker achieves arbitrary code execution on the host system, escalating privileges as needed.
8. Attacker uses the compromised system to steal data, install malware, or pivot to other systems.

Impact

Successful exploitation allows attackers to execute arbitrary code on systems running vulnerable versions of PraisonAI. This can lead to complete system compromise, data theft, and potential lateral movement within the network. The vulnerability affects all users of PraisonAI versions 4.5.138 and below. The impact of this vulnerability is high due to the ease of exploitation and the potential for widespread damage.

Recommendation

• Upgrade PraisonAI to version 4.5.139 or later to patch CVE-2026-40287.
• Implement strict file permission controls on the PraisonAI installation directory to prevent unauthorized file creation.
• Deploy the Sigma rules provided below to detect suspicious file creation events in PraisonAI working directories.
• Enable process monitoring on systems running PraisonAI to detect unexpected Python code execution.

Attack Chain

1. An attacker crafts a malicious YAML file (e.g., exploit.yaml) containing commands to be executed.
2. The attacker gains access to a system where PraisonAI is installed and can execute the praisonai command.
3. The attacker executes the command praisonai workflow run exploit.yaml, pointing to the malicious YAML file.
4. PraisonAI parses the YAML file and identifies the type: job directive.
5. The JobWorkflowExecutor class in job_workflow.py is invoked to process the workflow steps.
6. Within the workflow steps, commands specified using run:, script:, or python: directives are executed. Specifically, _exec_shell() executes shell commands, _exec_inline_python() executes inline Python, and _exec_python_script() executes Python scripts.
7. The malicious code executes, performing actions such as writing files (e.g., pwned.txt) or executing arbitrary system commands.
8. The attacker achieves arbitrary code execution on the host system, leading to potential system compromise.

Impact

Successful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.

Recommendation

• Upgrade pip/praisonaiagents and pip/PraisonAI to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.
• Implement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the type: job directive to prevent execution of arbitrary commands and code.
• Deploy the Sigma rule “Detect PraisonAI Workflow Execution with Suspicious YAML” to your SIEM to detect potential exploitation attempts, based on log source process_creation.

Attack Chain

1. An attacker authenticates to the PraisonAI UI using valid credentials (default admin/admin if unchanged).
2. The attacker crafts a chat message that instructs the LLM agent to execute a shell command via the acp_execute_command function.
3. The LLM agent parses the message and prepares the command for execution.
4. Due to the hardcoded approval_mode = "auto" in chat.py or code.py, the command bypasses the intended approval process in agent_tools.py.
5. The subprocess.run() function in action_orchestrator.py executes the attacker-controlled command with shell=True.
6. The command executes with the permissions of the PraisonAI process.
7. The result of the command execution is returned to the attacker via the chat interface.
8. The attacker leverages this vulnerability to achieve code execution, data exfiltration, or other malicious objectives.

Impact

Successful exploitation allows an authenticated user to execute arbitrary shell commands on the server hosting PraisonAI. This can lead to:

• Confidentiality breach: Read sensitive files accessible to the process (e.g., /etc/passwd, application secrets).
• Integrity compromise: Modify or delete files, install backdoors.
• Availability impact: Kill processes, consume resources, delete data.
• Administrator control undermined: The hardcoded approval_mode silently overrides administrator-configured settings, creating a false sense of security.
• Prompt injection vector: Malicious content could trigger command execution through auto-approved tools without direct user intent, especially through external sources like web searches or uploaded files.

The vulnerable versions are PraisonAI versions prior to 4.5.128.

Recommendation

• Upgrade PraisonAI: Upgrade to version 4.5.128 or later to patch the vulnerability.
• Apply Code-Level Fix: If upgrading is not immediately feasible, manually remove the hardcoded override in chat.py and code.py as described in the advisory.
• Implement Allowlisting: Strengthen command sanitization by implementing an allowlist approach instead of a blocklist in the _sanitize_command() function as described in the advisory.
• Monitor Process Creation: Deploy the Sigma rule “Detect Suspicious PraisonAI Command Execution” to detect exploitation attempts.
• Monitor Network Connections: Deploy the Sigma rule “Detect Suspicious Outbound Connection from PraisonAI” to identify potential data exfiltration attempts.
• Review Authentication: Ensure strong passwords are in use and consider multi-factor authentication to mitigate risks from compromised credentials.

Attack Chain

1. An unauthenticated attacker identifies a PraisonAI instance running a version prior to 4.5.128.
2. The attacker crafts a malicious HTTP POST request to the /api/v1/runs endpoint.
3. The crafted request includes a webhook_url parameter containing a URL pointing to an internal service, cloud metadata endpoint, or external attacker-controlled server.
4. The PraisonAI server receives the request and queues a job.
5. The job completes (either successfully or with an error).
6. Upon completion, the server, using httpx.AsyncClient, initiates an HTTP POST request to the URL specified in the webhook_url parameter.
7. If the webhook_url points to an internal service, the attacker can potentially access sensitive information or trigger actions within that service.
8. If the webhook_url points to a cloud metadata endpoint, the attacker can retrieve cloud credentials or configuration details.

Impact

Successful exploitation of this SSRF vulnerability allows an unauthenticated attacker to force the PraisonAI server to make arbitrary HTTP POST requests. This can lead to the exposure of sensitive information from internal services or cloud metadata, potentially granting the attacker unauthorized access to systems and data. The vulnerability could also be leveraged to perform denial-of-service attacks against internal resources. While the exact number of affected organizations is unknown, any organization running a vulnerable version of PraisonAI is at risk.

Recommendation

• Upgrade PraisonAI instances to version 4.5.128 or later to remediate CVE-2026-40114.
• Inspect web server logs for requests to the /api/v1/runs endpoint containing suspicious webhook_url parameters to detect potential exploitation attempts. Deploy the Sigma rule to detect suspicious webhook URLs.
• Monitor network traffic for unexpected outbound connections originating from the PraisonAI server to internal or external destinations, as this could indicate SSRF exploitation.

Attack Chain

1. An attacker crafts a malicious YAML definition or workflow for PraisonAI.
2. This crafted input contains shell metacharacters designed to inject arbitrary commands.
3. The user (victim) imports or executes the attacker-supplied YAML or workflow within PraisonAI.
4. The execute_command function processes the input without proper sanitization.
5. The injected shell commands are executed by the underlying operating system.
6. The attacker gains arbitrary code execution privileges on the PraisonAI server.
7. The attacker can then perform lateral movement, data exfiltration, or system compromise.
8. The attacker can further leverage the compromised system to target other systems within the network.

Impact

Successful exploitation of CVE-2026-40088 allows an attacker to execute arbitrary commands on the PraisonAI server. This can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. The severity of this vulnerability is rated as critical with a CVSS v3.1 score of 9.6. This could affect any organization using PraisonAI versions prior to 4.5.121.

Recommendation

• Immediately upgrade PraisonAI to version 4.5.121 or later to patch CVE-2026-40088.
• Implement input validation and sanitization for all user-supplied data processed by the execute_command function.
• Monitor PraisonAI logs for suspicious command execution patterns after upgrading.
• Deploy the Sigma rules provided below to detect potential exploitation attempts.
• Review and restrict permissions of the PraisonAI service account to minimize the impact of successful command injection.

Attack Chain

1. An attacker crafts a malicious YAML workflow definition or modifies an existing one, injecting shell metacharacters into the target field of a shell step.
2. Alternatively, the attacker modifies the agents.yaml file, injecting malicious commands into the shell_command field of an agent task.
3. The attacker triggers the execution of the crafted YAML workflow or loads the modified agents.yaml file using PraisonAI’s command-line interface.
4. PraisonAI parses the YAML file and extracts the attacker-controlled command string.
5. The application then passes this command string to subprocess.run() with shell=True, allowing the shell to interpret the injected metacharacters.
6. The shell executes the attacker’s injected commands, potentially performing actions like reading sensitive files, exfiltrating data, or modifying system configurations.
7. If using agent mode, an attacker can influence the LLM’s context to generate malicious tool calls including shell commands.
8. The attacker achieves arbitrary code execution with the privileges of the PraisonAI process, leading to system compromise or data breach.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary shell commands on the affected system. This can lead to a variety of negative consequences, including unauthorized access to sensitive data (such as configuration files, credentials, or user data), modification or deletion of system files, and potentially full system compromise. In automated environments like CI/CD pipelines, this vulnerability could allow an attacker to inject malicious code into software builds, leading to supply chain attacks. The vulnerability affects versions of PraisonAI prior to 4.5.121.

Recommendation

• Deploy the Sigma rule “Detect PraisonAI Command Injection via Workflow” to identify attempts to exploit this vulnerability through malicious YAML workflow definitions (logsource: process_creation).
• Deploy the Sigma rule “Detect PraisonAI Command Injection via Agent Configuration” to identify attempts to exploit this vulnerability through malicious agent configurations (logsource: process_creation).
• Block the C2 domain attacker.com listed in the IOC table at the DNS resolver to prevent data exfiltration and command-and-control communication (type: domain, value: attacker.com).
• Upgrade PraisonAI to version 4.5.121 or later to patch this vulnerability (Affected Packages).

Attack Chain

1. An attacker identifies an instance of PraisonAI running a version prior to 1.5.90.
2. The attacker crafts malicious code containing OS command injection payloads using $() or backticks.
3. The attacker injects the malicious code into a parameter or input field that is processed by the run_python() function.
4. The run_python() function constructs the shell command string, interpolating the attacker’s malicious code without proper escaping.
5. The subprocess.run() function executes the crafted shell command with shell=True.
6. The attacker’s OS command is executed on the host system with the privileges of the PraisonAI application.
7. The attacker gains unauthorized access to the system, potentially enabling data exfiltration, system modification, or denial of service.

Impact

Successful exploitation of this vulnerability (CVE-2026-34937) allows an attacker to execute arbitrary OS commands on the system running PraisonAI. This could lead to complete system compromise, data breaches, or denial of service. The severity is high because it allows unauthenticated or low-privileged users to gain complete control of the system. Organizations using affected versions of PraisonAI are at risk of significant data loss and reputational damage.

Recommendation

• Immediately upgrade PraisonAI to version 1.5.90 or later to patch CVE-2026-34937.
• Deploy the Sigma rule “Detect PraisonAI OS Command Injection Attempt” to your SIEM to identify potential exploitation attempts.
• Monitor process creation events for the execution of unexpected processes originating from the PraisonAI application to detect post-exploitation activity.

Attack Chain

1. An attacker crafts a malicious command to be executed within the PraisonAI environment.
2. The PraisonAI application receives the crafted command and attempts to execute it within the SubprocessSandbox.
3. The SubprocessSandbox uses subprocess.run() with shell=True to execute the provided command.
4. The blocklist in sandbox_executor.py fails to block the sh or bash commands themselves.
5. The attacker injects shell commands via sh -c '<blocked_command>', bypassing the string-pattern matching intended to restrict execution.
6. The sh process executes the attacker’s command within the sandbox’s context, bypassing the intended security restrictions.
7. The attacker gains unauthorized access to resources such as network connections, the filesystem, or cloud metadata services.
8. The attacker escalates privileges and potentially compromises the entire system.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the intended security restrictions imposed by the PraisonAI SubprocessSandbox, even in its strictest configuration. This could lead to privilege escalation, unauthorized access to sensitive data, and the potential compromise of the entire system. Specifically, an attacker could leverage this escape to access network resources, manipulate the filesystem, or extract sensitive information from cloud metadata services. The lack of effective sandboxing could have severe consequences for environments relying on PraisonAI for secure execution of untrusted code.

Recommendation

• Apply the suggested fix of using shlex.split() and shell=False when calling subprocess.run() to prevent shell command injection (reference: suggested fix code block).
• Upgrade PraisonAI to a version beyond 4.5.96 to incorporate the patch for CVE-2026-34955 (reference: CVE-2026-34955).
• Deploy the provided Sigma rule to detect the execution of sh or bash with the -c option, which is indicative of attempts to bypass command restrictions (reference: Sigma rule “Detect sh/bash Command Execution with -c Option”).
• Implement a more comprehensive blocklist that includes sh and bash as standalone executables in addition to dangerous patterns (reference: sandbox_executor.py:179).

Attack Chain

1. An attacker identifies a PraisonAI instance running a vulnerable version (<= 4.5.89).
2. The attacker crafts a malicious request to the passthrough() function, providing a crafted api_base parameter.
3. The crafted api_base contains the address of an internal service (e.g., Redis, Elasticsearch, Kubernetes API) or the EC2 metadata service (http://169.254.169.254).
4. An AttributeError is triggered in the litellm primary path.
5. The passthrough() function, within passthrough.py, concatenates the attacker-controlled api_base with the specified endpoint.
6. The resulting URL is then passed to httpx.Client.request(), making an HTTP request to the attacker-specified destination.
7. If targeting the EC2 metadata service, the attacker can retrieve IAM credentials associated with the instance.
8. If targeting internal services, the attacker can potentially access sensitive data or perform unauthorized actions, due to the default AUTH_ENABLED = False setting.

Impact

Successful exploitation of this SSRF vulnerability can lead to serious consequences. On cloud infrastructure, attackers can steal IAM credentials from the EC2 metadata service (IMDSv1), potentially gaining control over the entire AWS account. Internal services within the VPC, such as Redis, Elasticsearch, and Kubernetes API, become accessible without authentication, as the Flask API server deploys with AUTH_ENABLED = False by default. This can lead to data breaches, service disruptions, or further lateral movement within the internal network. This vulnerability affects deployments of PraisonAI version 4.5.89 and earlier.

Recommendation

• Upgrade PraisonAI to a version greater than 4.5.89 to patch CVE-2026-34936.
• Implement input validation and sanitization on the api_base parameter within the passthrough() function to prevent SSRF attacks.
• If running on AWS, disable IMDSv1 and migrate to IMDSv2 to mitigate the risk of IAM credential theft.
• Implement network segmentation and access controls to restrict access to internal services from the PraisonAI server.
• Deploy the following Sigma rule to detect attempts to exploit the SSRF vulnerability by monitoring for connections to the EC2 metadata service or the local loopback address.