Mervinpraison Praisonai vulnerabilities
53 known vulnerabilities affecting mervinpraison/praisonai.
Total CVEs
53
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL22HIGH24MEDIUM7
Vulnerabilities
Page 1 of 3
CVE-2026-44338P1HIGHCVSS 7.3ExploitedPoCv>= 2.5.6, < 4.6.342026-05-08
CVE-2026-44338 [HIGH] CWE-306 CVE-2026-44338: PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ship
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been p
ghsanvd
CVE-2026-40114P2CRITICALCVSS 10.0fixed in 4.5.1282026-04-09
CVE-2026-40114 [CRITICAL] CWE-918 CVE-2026-40114: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbi
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server
ghsanvd
CVE-2026-34938P2CRITICALCVSS 10.0fixed in 1.5.902026-04-03
CVE-2026-34938 [CRITICAL] CWE-693 CVE-2026-34938: PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue
nvd
CVE-2026-40288P2CRITICALCVSS 9.8fixed in 4.5.1392026-04-14
CVE-2026-40288 [CRITICAL] CWE-78 CVE-2026-40288: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support
ghsanvd
CVE-2026-34935P2CRITICALCVSS 9.8fixed in 4.6.92026-04-03
CVE-2026-34935 [CRITICAL] CWE-78 CVE-2026-34935: PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has be
ghsanvdosv
CVE-2026-39305P2CRITICALCVSS 10.0fixed in 4.5.1132026-04-07
CVE-2026-39305 [CRITICAL] CWE-22 CVE-2026-39305: PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sens
ghsanvdosv
CVE-2026-39890P2CRITICALCVSS 9.8fixed in 4.5.1152026-04-08
CVE-2026-39890 [CRITICAL] CWE-502 CVE-2026-39890: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can
ghsanvdosv
CVE-2026-34937P2CRITICALCVSS 9.8fixed in 1.5.902026-04-03
CVE-2026-34937 [CRITICAL] CWE-78 CVE-2026-34937: PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai construc
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS com
nvd
CVE-2026-40289P2CRITICALCVSS 9.1fixed in 4.5.1392026-04-14
CVE-2026-40289 [CRITICAL] CWE-306 CVE-2026-40289: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and
ghsanvd
CVE-2026-34955P2CRITICALCVSS 10.0fixed in 4.5.972026-04-04
CVE-2026-34955 [CRITICAL] CWE-78 CVE-2026-34955: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BA
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in ST
ghsanvdosv
CVE-2026-40151P3MEDIUMCVSS 5.3PoCfixed in 4.5.1282026-04-09
CVE-2026-40151 [MEDIUM] CWE-200 CVE-2026-40151: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults t
ghsanvd
CVE-2026-40315P3CRITICALCVSS 9.8vpraisonaiagents < 1.6.9vpraisonai < 4.6.92026-04-14
CVE-2026-40315 [CRITICAL] CWE-89 CVE-2026-40315: PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vuln
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who cont
ghsanvd
CVE-2026-34952P3CRITICALCVSS 9.1fixed in 4.5.972026-04-03
CVE-2026-34952 [CRITICAL] CWE-306 CVE-2026-34952: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accep
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version
ghsanvdosv
CVE-2026-44336P3CRITICALCVSS 9.6fixed in 4.6.342026-05-08
CVE-2026-44336 [CRITICAL] CWE-20 CVE-2026-44336: PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Pro
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call argument
ghsanvd
CVE-2026-34953P3CRITICALCVSS 9.1fixed in 4.5.972026-04-03
CVE-2026-34953 [CRITICAL] CWE-863 CVE-2026-34953: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() retu
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. Th
ghsanvdosv
CVE-2026-34934P3CRITICALCVSS 9.8fixed in 4.5.902026-04-03
CVE-2026-34934 [CRITICAL] CWE-89 CVE-2026-34934: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full datab
ghsanvdosv
CVE-2026-44335P3CRITICALCVSS 9.8fixed in 1.6.322026-05-08
CVE-2026-44335 [CRITICAL] CWE-918 CVE-2026-44335: PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonA
PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.
nvd
CVE-2026-40313P3CRITICALCVSS 9.1fixed in 4.5.1402026-04-14
CVE-2026-40313 [CRITICAL] CWE-829 CVE-2026-40313: PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the
nvd
CVE-2026-40088P3CRITICALCVSS 9.6fixed in 4.5.1212026-04-09
CVE-2026-40088 [CRITICAL] CWE-78 CVE-2026-40088: PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
ghsanvdosv
CVE-2026-34954P3HIGHCVSS 8.6fixed in 1.5.952026-04-03
CVE-2026-34954 [HIGH] CWE-918 CVE-2026-34954: PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in prais
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud m
nvd
1 / 3Next →