cbcvebase.

Praison Praisonai vulnerabilities

43 known vulnerabilities affecting praison/praisonai.

Total CVEs
43
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH21MEDIUM5

Vulnerabilities

Page 1 of 3
CVE-2026-44338P1HIGHCVSS 7.3ExploitedPoC≥ 2.5.6, < 4.6.342026-05-08
CVE-2026-44338 [HIGH] CWE-306 CVE-2026-44338: PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ship PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been p
nvd
CVE-2026-40114P2CRITICALCVSS 10.0fixed in 4.5.1282026-04-09
CVE-2026-40114 [CRITICAL] CWE-918 CVE-2026-40114: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbi PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server
nvd
CVE-2026-40288P2CRITICALCVSS 9.8fixed in 4.5.1392026-04-14
CVE-2026-40288 [CRITICAL] CWE-78 CVE-2026-40288: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support
nvd
CVE-2026-34935P2CRITICALCVSS 9.8≥ 4.5.15, < 4.5.692026-04-03
CVE-2026-34935 [CRITICAL] CWE-78 CVE-2026-34935: PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has be
nvd
CVE-2026-39305P2CRITICALCVSS 10.0≤ 4.5.1122026-04-07
CVE-2026-39305 [CRITICAL] CWE-22 CVE-2026-39305: PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments (../) in the target path, malicious actions can overwrite sens
nvd
CVE-2026-39890P2CRITICALCVSS 9.8≤ 4.5.1142026-04-08
CVE-2026-39890 [CRITICAL] CWE-502 CVE-2026-39890: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can
nvd
CVE-2026-41497P2CRITICALCVSS 9.8fixed in 4.6.92026-05-08
CVE-2026-41497 [CRITICAL] CVE-2026-41497: PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in v
nvd
CVE-2026-40289P2CRITICALCVSS 9.1fixed in 4.5.1392026-04-14
CVE-2026-40289 [CRITICAL] CWE-306 CVE-2026-40289: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of prais PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and
nvd
CVE-2026-34955P2CRITICALCVSS 10.0fixed in 4.5.972026-04-04
CVE-2026-34955 [CRITICAL] CWE-78 CVE-2026-34955: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BA PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in ST
nvd
CVE-2026-40151P3MEDIUMCVSS 5.3PoCfixed in 4.5.1282026-04-09
CVE-2026-40151 [MEDIUM] CWE-200 CVE-2026-40151: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults t
nvd
CVE-2026-39888P3CRITICALCVSS 9.9fixed in 1.5.1152026-04-08
CVE-2026-39888 [CRITICAL] CWE-657 CVE-2026-39888: PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.p PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py)
nvd
CVE-2026-40315P3CRITICALCVSS 9.8fixed in 4.5.1332026-04-14
CVE-2026-40315 [CRITICAL] CWE-89 CVE-2026-40315: PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vuln PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who cont
nvd
CVE-2026-34952P3CRITICALCVSS 9.1fixed in 4.5.972026-04-03
CVE-2026-34952 [CRITICAL] CWE-306 CVE-2026-34952: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accep PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version
nvd
CVE-2026-44336P3CRITICALCVSS 9.6fixed in 4.6.342026-05-08
CVE-2026-44336 [CRITICAL] CWE-20 CVE-2026-44336: PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Pro PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call argument
nvd
CVE-2026-34953P3CRITICALCVSS 9.1fixed in 4.5.972026-04-03
CVE-2026-34953 [CRITICAL] CWE-863 CVE-2026-34953: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() retu PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. Th
nvd
CVE-2026-34934P3CRITICALCVSS 9.8fixed in 4.5.902026-04-03
CVE-2026-34934 [CRITICAL] CWE-89 CVE-2026-34934: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full datab
nvd
CVE-2026-40313P3CRITICALCVSS 9.1fixed in 4.5.1402026-04-14
CVE-2026-40313 [CRITICAL] CWE-829 CVE-2026-40313: PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the
nvd
CVE-2026-40088P3CRITICALCVSS 9.6fixed in 4.5.1212026-04-09
CVE-2026-40088 [CRITICAL] CWE-78 CVE-2026-40088: PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
nvd
CVE-2026-39891P3HIGHCVSS 8.8≤ 4.5.1142026-04-08
CVE-2026-39891 [HIGH] CWE-94 CVE-2026-39891: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as liter
nvd
CVE-2026-40157P3HIGHCVSS 8.8fixed in 4.5.1282026-04-10
CVE-2026-40157 [HIGH] CWE-22 CVE-2026-40157: PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .pr PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary
nvd
Praison Praisonai vulnerabilities | cvebase