PraisonAI

PraisonAI's template loader is vulnerable to a path traversal flaw (GHSA-f44v-7qgw-9gh9) when processing GitHub template URIs, allowing an unauthenticated attacker to write arbitrary files or delete arbitrary directories on the system running PraisonAI, leading to corruption of user configuration, project state, or application data.

A command injection vulnerability (CVE-NONE) exists in PraisonAI's `praisonaiagents` package (versions <= 1.6.48) where unsanitized LLM-controlled parameters are directly interpolated into IMAP SEARCH commands, allowing attackers to craft malicious prompts to inject arbitrary IMAP commands, leading to unauthorized email exfiltration, deletion, or denial-of-service when email tools are configured.

A critical command injection vulnerability exists in the `npm:praisonai` package versions >= 1.2.3 and <= 1.7.1, where the `SandboxExecutor`'s `allowedCommands` policy is bypassed by allowing arbitrary shell command chaining after an allowlisted command, leading to remote code execution with the PraisonAI process privileges.

A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.

A high-severity authentication bypass vulnerability in PraisonAI versions prior to 4.6.61 allows unauthenticated attackers to invoke any registered agent by setting the `PRAISONAI_CALL_AUTH=disabled` environment variable, potentially leading to arbitrary code execution or system compromise.

The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

PraisonAI Platform's workspace-scoped REST routes have an object-level authorization flaw allowing authenticated users from one workspace to access, modify, and delete objects in another workspace by providing the victim object's global UUID.

PraisonAI Platform is vulnerable to cross-workspace IDOR and member-role privilege escalation, allowing unauthorized users to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces due to insufficient access controls and role enforcement.

PraisonAI versions 4.6.37 and earlier are vulnerable to arbitrary file write due to missing path validation in the `write_file` function when `workspace=None`, allowing an attacker to write attacker-controlled content to arbitrary file paths on the victim's system via a malicious webpage.

The PraisonAI A2A server example is vulnerable to remote code execution due to a combination of factors: the example exposes an A2A server without authentication, binds to 0.0.0.0, and registers a `calculate` tool implemented with Python `eval(expression)`.

PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured, allowing attackers to list, inspect, invoke, and unregister agents due to a fail-open authentication default and a default binding to `0.0.0.0`, as tracked by CVE-2026-47396.

PraisonAI resolves tool names against module globals and `__main__` after failing to match declared tools, allowing an attacker who can influence tool-call names to invoke unintended application callables, leading to potential unauthorized state changes and command execution.

PraisonAI versions 2.7.2 through 4.6.35 are vulnerable to an arbitrary file write due to improper validation of symlinks during archive extraction, affecting `recipe pull`, `recipe publish`, and `recipe unpack` flows.

PraisonAI's MCP server is vulnerable to path traversal leading to arbitrary code execution by writing a Python `.pth` file into the user's site-packages directory, triggered via poisoned LLM contexts or unauthenticated HTTP-stream transports due to unvalidated kwargs in the dispatcher and lack of containment checks in file-handling tools.

PraisonAI ships a legacy Flask API server with authentication disabled by default, allowing any reachable caller to access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without providing a token (CVE-2026-44338).