cd /news/ai-safety/praisonai-nine-cves-including-two-cv… · home topics ai-safety article
[ARTICLE · art-56733] src=byteiota.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

PraisonAI: Nine CVEs Including Two CVSS 10.0 RCEs — Patch Now

RAXE Labs disclosed nine security vulnerabilities in PraisonAI's PyPI packages on July 11, including two CVSS 10.0 remote code execution flaws (CVE-2026-61447 and CVE-2026-34938) and a CVSS 9.9 file write/shell command bug (CVE-2026-61445). The vulnerabilities affect the open-source multi-agent orchestration framework, with four issues having published proof-of-concept code, and users are urged to patch immediately.

read4 min views1 publishedJul 13, 2026
PraisonAI: Nine CVEs Including Two CVSS 10.0 RCEs — Patch Now
Image: Byteiota (auto-discovered)

RAXE Labs dropped nine security vulnerabilities across PraisonAI’s two PyPI packages on July 11. Two are rated CVSS 10.0, one is 9.9, and four ship with vendor-published proof-of-concept code. If you run PraisonAI or praisonaiagents in any networked environment, stop reading and patch first. The last PraisonAI auth bypass was scanned less than four hours after disclosure — this cluster is worse.

What Is PraisonAI? #

PraisonAI is an open-source multi-agent orchestration framework supporting 100+ LLMs, MCP tool integration, RAG, and code execution — five lines of code to deploy a working agent workforce. It ships as two PyPI packages: praisonai

and praisonaiagents

. Both are affected by this advisory.

The Two CVSS 10.0 Flaws #

CVE-2026-61447 lives inside CodeAgent._execute_python()

in the praisonai

package. That function takes Python code generated by the LLM and runs it — no AST validation, no import restrictions, no sandbox. An attacker injects a malicious prompt, the LLM produces harmful Python, and the method executes it. Outcome: arbitrary code execution with full access to environment secrets — API keys, cloud credentials, SSH keys. Fixed in praisonai 1.6.78.

CVE-2026-34938 is in praisonaiagents

and it breaks a different assumption: that a three-layer sandbox is hard to escape. It is not, if the sandbox uses pattern matching on Python strings. Pass a str subclass with startswith()

overridden and every block list check returns False — no memory corruption, no special privileges, just a custom Python class that lies to the filter. Fixed in praisonaiagents 1.5.90.

Pattern-based block lists are not sandboxes. They are speed bumps.

CVSS 9.9: File Write and Shell Commands as Root #

CVE-2026-61445 is in PraisonAI’s AICoder component, which handles LLM-generated file operations. There is no path validation. An attacker submits a crafted chat prompt, bypasses the insufficient sanitization, and writes files anywhere on the host filesystem while executing arbitrary shell commands as root — without authenticating first. Affected: praisonai versions before 4.6.78.

The Recurring Default: No Authentication #

CVE-2026-61426 (CVSS 8.6) should not appear twice in the same codebase. PraisonAI binds to all network interfaces, requires no API key, and ships with a wildcard CORS policy. Anyone who reaches the port can hit GET /api/agents

to extract your agent instructions and system prompts, then POST /api/chat

to invoke those agents — no credentials needed. Fixed in praisonai 1.7.3.

ByteIota covered CVE-2026-44338, a nearly identical auth-off-by-default flaw from June, which was actively scanned 3 hours and 44 minutes after disclosure. Four of the current nine CVEs have published PoC code. Expect faster this time.

The Other Five #

The remaining vulnerabilities in RAXE-2026-050 cover three additional attack surfaces:

CVE-2026-60090 — SQL/CQL Injection: Thedimension

argument in the knowledge-storecreate_collection()

function is passed unsanitized into the database query. Standard injection, no tricks required.CVE-2026-61429 — SSRF via DNS Rebinding: The Crawl4AI/Chromium backend’s SSRF filter is bypassed by combining DNS rebinding with HTTP redirects, coercing the headless browser to reach internal services.- Three additional CVEs in praisonaiagents

covering MCP command injection variants, with CVSS scores from 7.7 to 10.0.

The Deeper Problem #

PraisonAI is not an outlier. GuardFall research published this month found shell injection bypasses in 10 of the 11 most popular open-source AI coding agents. The pattern is consistent: the framework checks a code or command string against a block list, then passes it to the execution environment — Python, Bash, or Node.js — which re-evaluates it through substitution, expansion, or inheritance. The block list never saw the real payload.

OWASP’s Top 10 for LLM Applications called unsafe code execution a top risk in 2025. The AI agent frameworks that have not been hit yet are not necessarily safer — they may simply not have been audited. If your agent executes LLM-generated code, it needs proper isolation: a microVM, gVisor, or at minimum a subprocess with no network access and a read-only filesystem. String matching on LLM output is not a security control.

Patch Now #

Check your installed versions and upgrade both packages immediately:

pip show praisonai praisonaiagents
pip install --upgrade praisonai praisonaiagents

Target versions: praisonai >= 4.6.78 and praisonaiagents >= 1.5.90. Full affected version ranges and CVE details are in the RAXE-2026-050 advisory. If you cannot patch immediately, take the service offline or restrict it to localhost-only traffic until you can.

── more in #ai-safety 4 stories · sorted by recency
── more on @praisonai 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/praisonai-nine-cves-…] indexed:0 read:4min 2026-07-13 ·