cbcvebase.

Praison Praisonai vulnerabilities

43 known vulnerabilities affecting praison/praisonai.

Total CVEs
43
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH21MEDIUM5

Vulnerabilities

Page 2 of 3
CVE-2026-41496P3HIGHCVSS 8.1fixed in 4.6.92026-05-08
CVE-2026-41496 [HIGH] CVE-2026-41496: PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents versio PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same ro
nvd
CVE-2026-44339P3HIGHCVSS 8.6fixed in 4.6.372026-05-08
CVE-2026-44339 [HIGH] CWE-470 CVE-2026-44339: PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents versi PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool na
nvd
CVE-2026-40154P3CRITICALCVSS 9.6fixed in 4.5.1282026-04-09
CVE-2026-40154 [CRITICAL] CWE-829 CVE-2026-40154: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched templat PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.
nvd
CVE-2026-40287P3HIGHCVSS 8.4fixed in 4.5.1392026-04-14
CVE-2026-40287 [HIGH] CWE-94 CVE-2026-40287: PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py
nvd
CVE-2026-40116P3HIGHCVSS 7.5fixed in 4.5.1282026-04-09
CVE-2026-40116 [HIGH] CWE-770 CVE-2026-40116: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in P PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent conne
nvd
CVE-2026-34936P3HIGHCVSS 7.7fixed in 4.5.902026-04-03
CVE-2026-34936 [HIGH] CWE-918 CVE-2026-34936: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() i PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain all
nvd
CVE-2026-40113P3HIGHCVSS 8.1fixed in 4.5.1282026-04-09
CVE-2026-40113 [HIGH] CWE-88 CVE-2026-40113: PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delim PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-en
nvd
CVE-2026-44340P3HIGHCVSS 7.5fixed in 4.6.372026-05-08
CVE-2026-44340 [HIGH] CWE-22 CVE-2026-44340: PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that a PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and ca
nvd
CVE-2026-39889P3HIGHCVSS 7.5≤ 4.5.1142026-04-08
CVE-2026-39889 [HIGH] CWE-200 CVE-2026-39889: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream serv PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/hea
nvd
CVE-2026-35615P3HIGHCVSS 7.5fixed in 1.5.1132026-04-07
CVE-2026-35615 [HIGH] CWE-22 CVE-2026-35615: PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the check completely useless and allows trivial path traversal to any file on the system. This vulnerability is f
nvd
CVE-2026-39308P3HIGHCVSS 7.1≤ 4.5.1122026-04-07
CVE-2026-39308 [HIGH] CWE-22 CVE-2026-39308: PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpo PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle man
nvd
CVE-2026-39306P3HIGHCVSS 7.3≤ 4.5.1122026-04-07
CVE-2026-39306 [HIGH] CWE-22 CVE-2026-39306: PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow ext PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that rec
nvd
CVE-2026-39307P3HIGHCVSS 8.1≤ 4.5.1122026-04-07
CVE-2026-39307 [HIGH] CWE-22 CVE-2026-39307: PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feat PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive re
nvd
CVE-2026-40115P3HIGHCVSS 7.5fixed in 4.5.1282026-04-09
CVE-2026-40115 [HIGH] CWE-770 CVE-2026-40115: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (se PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large PO
nvd
CVE-2026-44334P3HIGHCVSS 8.4≥ 4.5.139, < 4.6.322026-05-08
CVE-2026-44334 [HIGH] CVE-2026-44334: PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-402 PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every r
nvd
CVE-2026-40158P3HIGHCVSS 7.8fixed in 4.5.1282026-04-10
CVE-2026-40158 [HIGH] CWE-94 CVE-2026-40158: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes lik
nvd
CVE-2026-40156P3HIGHCVSS 7.8fixed in 4.5.1282026-04-10
CVE-2026-40156 [HIGH] CWE-94 CVE-2026-40156: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file name PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user con
nvd
CVE-2026-40149P3HIGHCVSS 7.3fixed in 4.5.1282026-04-09
CVE-2026-40149 [HIGH] CWE-396 CVE-2026-40149: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list en PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to a
nvd
CVE-2026-34939P3HIGHCVSS 7.5fixed in 4.5.902026-04-03
CVE-2026-34939 [HIGH] CWE-1333 CVE-2026-34939: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compil PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a comple
nvd
CVE-2026-44337P3MEDIUMCVSS 6.3≥ 2.4.1, < 4.6.342026-05-08
CVE-2026-44337 [MEDIUM] CWE-20 CVE-2026-44337: PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI expo PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. T
nvd
Praison Praisonai vulnerabilities | cvebase