Mervinpraison Praisonai vulnerabilities
53 known vulnerabilities affecting mervinpraison/praisonai.
Total CVEs
53
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL22HIGH24MEDIUM7
Vulnerabilities
Page 2 of 3
CVE-2026-39891P3HIGHCVSS 8.8fixed in 4.5.1152026-04-08
CVE-2026-39891 [HIGH] CWE-94 CVE-2026-39891: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as liter
ghsanvdosv
CVE-2026-40157P3HIGHCVSS 8.8fixed in 4.5.1282026-04-10
CVE-2026-40157 [HIGH] CWE-22 CVE-2026-40157: PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .pr
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary
ghsanvd
CVE-2026-44339P3HIGHCVSS 8.6vpraisonaiagents < 1.6.37vpraisonai < 4.6.372026-05-08
CVE-2026-44339 [HIGH] CWE-470 CVE-2026-44339: PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents versi
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool na
ghsanvd
CVE-2026-40154P3CRITICALCVSS 9.6fixed in 4.5.1282026-04-09
CVE-2026-40154 [CRITICAL] CWE-829 CVE-2026-40154: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched templat
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.
ghsanvd
CVE-2026-40287P3HIGHCVSS 8.4v>= 4.5.139, < 4.6.322026-04-14
CVE-2026-40287 [HIGH] CWE-94 CVE-2026-40287: PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py
ghsanvd
CVE-2026-40116P3HIGHCVSS 7.5fixed in 4.5.1282026-04-09
CVE-2026-40116 [HIGH] CWE-770 CVE-2026-40116: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in P
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent conne
ghsanvd
CVE-2026-34936P3HIGHCVSS 7.7fixed in 4.5.902026-04-03
CVE-2026-34936 [HIGH] CWE-918 CVE-2026-34936: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() i
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain all
ghsanvdosv
CVE-2026-40113P3HIGHCVSS 8.1fixed in 4.5.1282026-04-09
CVE-2026-40113 [HIGH] CWE-88 CVE-2026-40113: PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delim
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run
deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-en
ghsanvd
CVE-2026-44340P3HIGHCVSS 7.5fixed in 4.6.372026-05-08
CVE-2026-44340 [HIGH] CWE-22 CVE-2026-44340: PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that a
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and ca
ghsanvd
CVE-2026-39889P3HIGHCVSS 7.5fixed in 4.5.1152026-04-08
CVE-2026-39889 [HIGH] CWE-200 CVE-2026-39889: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream serv
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/hea
ghsanvdosv
CVE-2026-35615P3HIGHCVSS 7.5fixed in 4.5.1132026-04-07
CVE-2026-35615 [HIGH] CWE-22 CVE-2026-35615: PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath()
PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is f
ghsanvdosv
CVE-2026-39308P3HIGHCVSS 7.1fixed in 4.5.1132026-04-07
CVE-2026-39308 [HIGH] CWE-22 CVE-2026-39308: PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpo
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle man
ghsanvdosv
CVE-2026-39306P3HIGHCVSS 7.3fixed in 4.5.1132026-04-07
CVE-2026-39306 [HIGH] CWE-22 CVE-2026-39306: PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow ext
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that rec
ghsanvdosv
CVE-2026-39307P3HIGHCVSS 8.1fixed in 4.5.1132026-04-07
CVE-2026-39307 [HIGH] CWE-22 CVE-2026-39307: PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feat
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive re
ghsanvdosv
CVE-2026-40115P3HIGHCVSS 7.5fixed in 4.5.1282026-04-09
CVE-2026-40115 [HIGH] CWE-770 CVE-2026-40115: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (se
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large PO
ghsanvd
CVE-2026-44334P3HIGHCVSS 8.4≥ 4.5.139, < 4.6.322026-05-06
CVE-2026-44334 [HIGH] CWE-94 PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
## TL;DR
CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on ev
ghsa
CVE-2026-40158P3HIGHCVSS 7.8fixed in 4.5.1282026-04-10
CVE-2026-40158 [HIGH] CWE-94 CVE-2026-40158: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes lik
ghsanvd
CVE-2026-40156P3HIGHCVSS 7.8fixed in 4.5.1282026-04-10
CVE-2026-40156 [HIGH] CWE-94 CVE-2026-40156: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file name
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user con
ghsanvd
CVE-2026-40149P3HIGHCVSS 7.3fixed in 4.5.1282026-04-09
CVE-2026-40149 [HIGH] CWE-396 CVE-2026-40149: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list en
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to a
ghsanvd
CVE-2026-34939P3HIGHCVSS 7.5fixed in 4.5.902026-04-03
CVE-2026-34939 [HIGH] CWE-1333 CVE-2026-34939: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compil
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a comple
ghsanvdosv