RAXE Labs dropped nine security vulnerabilities across PraisonAI’s two PyPI packages on July 11. Two are rated CVSS 10.0, one is 9.9, and four ship with vendor-published proof-of-concept code. If you run PraisonAI or praisonaiagents in any networked environment, stop reading and patch first. The last PraisonAI auth bypass was scanned less than four hours after disclosure — this cluster is worse.
What Is PraisonAI? #
PraisonAI is an open-source multi-agent orchestration framework supporting 100+ LLMs, MCP tool integration, RAG, and code execution — five lines of code to deploy a working agent workforce. It ships as two PyPI packages: praisonai
and praisonaiagents
. Both are affected by this advisory.
The Two CVSS 10.0 Flaws #
CVE-2026-61447 lives inside CodeAgent._execute_python()
in the praisonai
package. That function takes Python code generated by the LLM and runs it — no AST validation, no import restrictions, no sandbox. An attacker injects a malicious prompt, the LLM produces harmful Python, and the method executes it. Outcome: arbitrary code execution with full access to environment secrets — API keys, cloud credentials, SSH keys. Fixed in praisonai 1.6.78.
CVE-2026-34938 is in praisonaiagents
and it breaks a different assumption: that a three-layer sandbox is hard to escape. It is not, if the sandbox uses pattern matching on Python strings. Pass a str subclass with startswith()
overridden and every block list check returns False — no memory corruption, no special privileges, just a custom Python class that lies to the filter. Fixed in praisonaiagents 1.5.90.
Pattern-based block lists are not sandboxes. They are speed bumps.
CVSS 9.9: File Write and Shell Commands as Root #
CVE-2026-61445 is in PraisonAI’s AICoder component, which handles LLM-generated file operations. There is no path validation. An attacker submits a crafted chat prompt, bypasses the insufficient sanitization, and writes files anywhere on the host filesystem while executing arbitrary shell commands as root — without authenticating first. Affected: praisonai versions before 4.6.78.
The Recurring Default: No Authentication #
CVE-2026-61426 (CVSS 8.6) should not appear twice in the same codebase. PraisonAI binds to all network interfaces, requires no API key, and ships with a wildcard CORS policy. Anyone who reaches the port can hit GET /api/agents
to extract your agent instructions and system prompts, then POST /api/chat
to invoke those agents — no credentials needed. Fixed in praisonai 1.7.3.
ByteIota covered CVE-2026-44338, a nearly identical auth-off-by-default flaw from June, which was actively scanned 3 hours and 44 minutes after disclosure. Four of the current nine CVEs have published PoC code. Expect faster this time.
The Other Five #
The remaining vulnerabilities in RAXE-2026-050 cover three additional attack surfaces:
CVE-2026-60090 — SQL/CQL Injection: Thedimension
argument in the knowledge-storecreate_collection()
function is passed unsanitized into the database query. Standard injection, no tricks required.CVE-2026-61429 — SSRF via DNS Rebinding: The Crawl4AI/Chromium backend’s SSRF filter is bypassed by combining DNS rebinding with HTTP redirects, coercing the headless browser to reach internal services.- Three additional CVEs in
praisonaiagents
covering MCP command injection variants, with CVSS scores from 7.7 to 10.0.
The Deeper Problem #
PraisonAI is not an outlier. GuardFall research published this month found shell injection bypasses in 10 of the 11 most popular open-source AI coding agents. The pattern is consistent: the framework checks a code or command string against a block list, then passes it to the execution environment — Python, Bash, or Node.js — which re-evaluates it through substitution, expansion, or inheritance. The block list never saw the real payload.
OWASP’s Top 10 for LLM Applications called unsafe code execution a top risk in 2025. The AI agent frameworks that have not been hit yet are not necessarily safer — they may simply not have been audited. If your agent executes LLM-generated code, it needs proper isolation: a microVM, gVisor, or at minimum a subprocess with no network access and a read-only filesystem. String matching on LLM output is not a security control.
Patch Now #
Check your installed versions and upgrade both packages immediately:
pip show praisonai praisonaiagents
pip install --upgrade praisonai praisonaiagents
Target versions: praisonai >= 4.6.78 and praisonaiagents >= 1.5.90. Full affected version ranges and CVE details are in the RAXE-2026-050 advisory. If you cannot patch immediately, take the service offline or restrict it to localhost-only traffic until you can.