Mervinpraison Praisonaiagents vulnerabilities
20 known vulnerabilities affecting mervinpraison/praisonaiagents.
Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH9MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-40288P2CRITICALCVSS 9.8fixed in 1.5.1402026-04-14
CVE-2026-40288 [CRITICAL] CWE-78 CVE-2026-40288: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support
ghsanvd
CVE-2026-34938P2CRITICAL≥ 0, < 1.5.902026-04-01
CVE-2026-34938 [CRITICAL] CWE-693 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
### Summary
`execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the
ghsaosv
CVE-2026-40289P2CRITICALCVSS 9.1fixed in 1.5.1402026-04-14
CVE-2026-40289 [CRITICAL] CWE-306 CVE-2026-40289: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and
ghsanvd
CVE-2026-39888P3CRITICALCVSS 9.9fixed in 1.5.1152026-04-08
CVE-2026-39888 [CRITICAL] CWE-657 CVE-2026-39888: PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.p
PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py)
ghsanvdosv
CVE-2026-34937P2HIGH≥ 0, < 1.5.902026-04-01
CVE-2026-34937 [HIGH] CWE-78 PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
### Summary
`run_python()` in `praisonai` constructs a shell command string by interpolating user-controlled code into `python3 -c ""` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `\` and `"`, leaving `$()` and backtick substitutions unescaped, allowing arbitrary OS command execut
ghsaosv
CVE-2026-40315P3HIGH≥ 0, < 1.6.82026-04-17
CVE-2026-40315 [HIGH] CWE-89 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
The fix for [CVE-2026-40315](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp) added input validation to `SQLiteConversationStore` only. Nine sibling backends — MySQL, PostgreSQL, async
ghsa
CVE-2026-44335P3HIGH≥ 0, < 1.6.322026-05-06
CVE-2026-44335 [HIGH] CWE-918 PraisonAI has an SSRF bypass
PraisonAI has an SSRF bypass
### Summary
The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.
### Details
The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks.
However, there are indeed differences in parsing between urlparse an
ghsa
CVE-2026-40111P3HIGHCVSS 8.8fixed in 1.5.1282026-04-09
CVE-2026-40111 [HIGH] CWE-78 CVE-2026-40111: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praison
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended co
ghsanvd
CVE-2026-34954P3HIGH≥ 0, < 1.5.952026-04-01
CVE-2026-34954 [HIGH] CWE-918 PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
### Summary
`FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and in
ghsaosv
CVE-2026-40117P3HIGHCVSS 7.5fixed in 1.5.1282026-04-09
CVE-2026-40117 [HIGH] CWE-862 CVE-2026-40117: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_sk
ghsanvd
CVE-2025-66416P3HIGH≥ 0.6.0, < 1.6.592026-06-18
CVE-2025-66416 [HIGH] CWE-306 PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
# PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
## Summary
`praisonaiagents.mcp.ToolsMCPServer.run_sse()` builds a Starlette MCP
HTTP+SSE server around `mcp.server.sse.SseServerTransport`. The server e
ghsa
CVE-2026-44339P3HIGH≥ 0, < 1.6.372026-05-11
CVE-2026-44339 [HIGH] CWE-470 PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
### Summary
`praisonaiagents` resolves unresolved tool names against module globals and `__main__` after it fails to match the declared tool list and the registry. With the default agent configuration, `_perm_allow` is `None`, so undeclare
ghsa
CVE-2026-40287P3HIGH≥ 0, < 1.5.1402026-04-10
CVE-2026-40287 [HIGH] CWE-426 PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.
A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.
### Affected Co
ghsa
CVE-2026-40150P3MEDIUMCVSS 6.5fixed in 1.5.1282026-04-09
CVE-2026-40150 [MEDIUM] CWE-918 CVE-2026-40150: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praison
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in craw
ghsanvd
CVE-2026-40153P3MEDIUMCVSS 6.5fixed in 1.5.1282026-04-09
CVE-2026-40153 [MEDIUM] CWE-526 CVE-2026-40153: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in she
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environmen
ghsanvd
CVE-2026-40160P3MEDIUMCVSS 6.5fixed in 1.5.1282026-04-10
CVE-2026-40160 [MEDIUM] CWE-918 CVE-2026-40160: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path pas
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. Th
ghsanvd
CVE-2026-40152P3MEDIUMCVSS 5.3fixed in 1.5.1282026-04-09
CVE-2026-40152 [MEDIUM] CWE-22 CVE-2026-40152: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools v
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's Path.glob() supports .. path segments, an attacker can use relative path
ghsanvd
CVE-2026-47392CRITICALCVSS 10.0≥ 0, < 1.6.402026-05-29
CVE-2026-47392 [CRITICAL] CWE-184 PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be e
ghsa
CVE-2026-47390MEDIUM≥ 0, < 1.6.402026-05-29
CVE-2026-47390 [MEDIUM] CWE-918 PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
### Summary
PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings.
The affected component is:
```text
praisonaiagents/tools/spider_tools.py
````
The tool contains a URL validation function intended to block local or unsafe targets before fetching atta
ghsa
CVE-2026-47395MEDIUM≥ 0, < 1.6.402026-05-29
CVE-2026-47395 [MEDIUM] CWE-200 PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
### Summary
PraisonAI's direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins.
If a prompt contains `@url:`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a
ghsa