{"slug": "praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now", "title": "PraisonAI: Nine CVEs Including Two CVSS 10.0 RCEs — Patch Now", "summary": "RAXE Labs disclosed nine security vulnerabilities in PraisonAI's PyPI packages on July 11, including two CVSS 10.0 remote code execution flaws (CVE-2026-61447 and CVE-2026-34938) and a CVSS 9.9 file write/shell command bug (CVE-2026-61445). The vulnerabilities affect the open-source multi-agent orchestration framework, with four issues having published proof-of-concept code, and users are urged to patch immediately.", "body_md": "RAXE Labs dropped nine security vulnerabilities across PraisonAI’s two PyPI packages on July 11. Two are rated CVSS 10.0, one is 9.9, and four ship with vendor-published proof-of-concept code. If you run PraisonAI or praisonaiagents in any networked environment, stop reading and patch first. The [last PraisonAI auth bypass was scanned less than four hours after disclosure](https://www.csoonline.com/article/4171215/praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure.html) — this cluster is worse.\n\n## What Is PraisonAI?\n\nPraisonAI is an open-source multi-agent orchestration framework supporting 100+ LLMs, MCP tool integration, RAG, and code execution — five lines of code to deploy a working agent workforce. It ships as two PyPI packages: `praisonai`\n\nand `praisonaiagents`\n\n. Both are affected by this advisory.\n\n## The Two CVSS 10.0 Flaws\n\n**CVE-2026-61447** lives inside `CodeAgent._execute_python()`\n\nin the `praisonai`\n\npackage. That function takes Python code generated by the LLM and runs it — no AST validation, no import restrictions, no sandbox. An attacker injects a malicious prompt, the LLM produces harmful Python, and the method executes it. Outcome: arbitrary code execution with full access to environment secrets — API keys, cloud credentials, SSH keys. Fixed in **praisonai 1.6.78**.\n\n**CVE-2026-34938** is in `praisonaiagents`\n\nand it breaks a different assumption: that a three-layer sandbox is hard to escape. It is not, if the sandbox uses pattern matching on Python strings. Pass a str subclass with `startswith()`\n\noverridden and every block list check returns False — no memory corruption, no special privileges, just a custom Python class that lies to the filter. Fixed in **praisonaiagents 1.5.90**.\n\nPattern-based block lists are not sandboxes. They are speed bumps.\n\n## CVSS 9.9: File Write and Shell Commands as Root\n\n**CVE-2026-61445** is in PraisonAI’s AICoder component, which handles LLM-generated file operations. There is no path validation. An attacker submits a crafted chat prompt, bypasses the insufficient sanitization, and writes files anywhere on the host filesystem while executing arbitrary shell commands as root — without authenticating first. Affected: **praisonai versions before 4.6.78**.\n\n## The Recurring Default: No Authentication\n\n**CVE-2026-61426** (CVSS 8.6) should not appear twice in the same codebase. PraisonAI binds to all network interfaces, requires no API key, and ships with a wildcard CORS policy. Anyone who reaches the port can hit `GET /api/agents`\n\nto extract your agent instructions and system prompts, then `POST /api/chat`\n\nto invoke those agents — no credentials needed. Fixed in **praisonai 1.7.3**.\n\nByteIota covered CVE-2026-44338, a nearly identical auth-off-by-default flaw from June, which was actively scanned 3 hours and 44 minutes after disclosure. Four of the current nine CVEs have published PoC code. Expect faster this time.\n\n## The Other Five\n\nThe remaining vulnerabilities in [RAXE-2026-050](https://raxe.ai/labs/advisories/RAXE-2026-050) cover three additional attack surfaces:\n\n**CVE-2026-60090 — SQL/CQL Injection:** The`dimension`\n\nargument in the knowledge-store`create_collection()`\n\nfunction is passed unsanitized into the database query. Standard injection, no tricks required.**CVE-2026-61429 — SSRF via DNS Rebinding:** The Crawl4AI/Chromium backend’s SSRF filter is bypassed by combining DNS rebinding with HTTP redirects, coercing the headless browser to reach internal services.- Three additional CVEs in\n`praisonaiagents`\n\ncovering MCP command injection variants, with CVSS scores from 7.7 to 10.0.\n\n## The Deeper Problem\n\nPraisonAI is not an outlier. [GuardFall research published this month](https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/) found shell injection bypasses in 10 of the 11 most popular open-source AI coding agents. The pattern is consistent: the framework checks a code or command string against a block list, then passes it to the execution environment — Python, Bash, or Node.js — which re-evaluates it through substitution, expansion, or inheritance. The block list never saw the real payload.\n\n[OWASP’s Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) called unsafe code execution a top risk in 2025. The AI agent frameworks that have not been hit yet are not necessarily safer — they may simply not have been audited. If your agent executes LLM-generated code, it needs proper isolation: a microVM, gVisor, or at minimum a subprocess with no network access and a read-only filesystem. String matching on LLM output is not a security control.\n\n## Patch Now\n\nCheck your installed versions and upgrade both packages immediately:\n\n```\npip show praisonai praisonaiagents\npip install --upgrade praisonai praisonaiagents\n```\n\nTarget versions: **praisonai >= 4.6.78** and **praisonaiagents >= 1.5.90**. Full affected version ranges and CVE details are in the [RAXE-2026-050 advisory](https://raxe.ai/labs/advisories/RAXE-2026-050). If you cannot patch immediately, take the service offline or restrict it to localhost-only traffic until you can.", "url": "https://wpnews.pro/news/praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now", "canonical_source": "https://byteiota.com/praisonai-raxe-2026-050-nine-cves/", "published_at": "2026-07-13 02:13:17+00:00", "updated_at": "2026-07-13 02:15:32.115360+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-infrastructure", "ai-policy"], "entities": ["PraisonAI", "RAXE Labs", "CVE-2026-61447", "CVE-2026-34938", "CVE-2026-61445", "CVE-2026-61426", "CVE-2026-60090", "CVE-2026-61429"], "alternates": {"html": "https://wpnews.pro/news/praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now", "markdown": "https://wpnews.pro/news/praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now.md", "text": "https://wpnews.pro/news/praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now.txt", "jsonld": "https://wpnews.pro/news/praisonai-nine-cves-including-two-cvss-10-0-rces-patch-now.jsonld"}}