# PraisonAI: Nine CVEs Including Two CVSS 10.0 RCEs — Patch Now

> Source: <https://byteiota.com/praisonai-raxe-2026-050-nine-cves/>
> Published: 2026-07-13 02:13:17+00:00

RAXE Labs dropped nine security vulnerabilities across PraisonAI’s two PyPI packages on July 11. Two are rated CVSS 10.0, one is 9.9, and four ship with vendor-published proof-of-concept code. If you run PraisonAI or praisonaiagents in any networked environment, stop reading and patch first. The [last PraisonAI auth bypass was scanned less than four hours after disclosure](https://www.csoonline.com/article/4171215/praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure.html) — this cluster is worse.

## What Is PraisonAI?

PraisonAI is an open-source multi-agent orchestration framework supporting 100+ LLMs, MCP tool integration, RAG, and code execution — five lines of code to deploy a working agent workforce. It ships as two PyPI packages: `praisonai`

and `praisonaiagents`

. Both are affected by this advisory.

## The Two CVSS 10.0 Flaws

**CVE-2026-61447** lives inside `CodeAgent._execute_python()`

in the `praisonai`

package. That function takes Python code generated by the LLM and runs it — no AST validation, no import restrictions, no sandbox. An attacker injects a malicious prompt, the LLM produces harmful Python, and the method executes it. Outcome: arbitrary code execution with full access to environment secrets — API keys, cloud credentials, SSH keys. Fixed in **praisonai 1.6.78**.

**CVE-2026-34938** is in `praisonaiagents`

and it breaks a different assumption: that a three-layer sandbox is hard to escape. It is not, if the sandbox uses pattern matching on Python strings. Pass a str subclass with `startswith()`

overridden and every block list check returns False — no memory corruption, no special privileges, just a custom Python class that lies to the filter. Fixed in **praisonaiagents 1.5.90**.

Pattern-based block lists are not sandboxes. They are speed bumps.

## CVSS 9.9: File Write and Shell Commands as Root

**CVE-2026-61445** is in PraisonAI’s AICoder component, which handles LLM-generated file operations. There is no path validation. An attacker submits a crafted chat prompt, bypasses the insufficient sanitization, and writes files anywhere on the host filesystem while executing arbitrary shell commands as root — without authenticating first. Affected: **praisonai versions before 4.6.78**.

## The Recurring Default: No Authentication

**CVE-2026-61426** (CVSS 8.6) should not appear twice in the same codebase. PraisonAI binds to all network interfaces, requires no API key, and ships with a wildcard CORS policy. Anyone who reaches the port can hit `GET /api/agents`

to extract your agent instructions and system prompts, then `POST /api/chat`

to invoke those agents — no credentials needed. Fixed in **praisonai 1.7.3**.

ByteIota covered CVE-2026-44338, a nearly identical auth-off-by-default flaw from June, which was actively scanned 3 hours and 44 minutes after disclosure. Four of the current nine CVEs have published PoC code. Expect faster this time.

## The Other Five

The remaining vulnerabilities in [RAXE-2026-050](https://raxe.ai/labs/advisories/RAXE-2026-050) cover three additional attack surfaces:

**CVE-2026-60090 — SQL/CQL Injection:** The`dimension`

argument in the knowledge-store`create_collection()`

function is passed unsanitized into the database query. Standard injection, no tricks required.**CVE-2026-61429 — SSRF via DNS Rebinding:** The Crawl4AI/Chromium backend’s SSRF filter is bypassed by combining DNS rebinding with HTTP redirects, coercing the headless browser to reach internal services.- Three additional CVEs in
`praisonaiagents`

covering MCP command injection variants, with CVSS scores from 7.7 to 10.0.

## The Deeper Problem

PraisonAI is not an outlier. [GuardFall research published this month](https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/) found shell injection bypasses in 10 of the 11 most popular open-source AI coding agents. The pattern is consistent: the framework checks a code or command string against a block list, then passes it to the execution environment — Python, Bash, or Node.js — which re-evaluates it through substitution, expansion, or inheritance. The block list never saw the real payload.

[OWASP’s Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) called unsafe code execution a top risk in 2025. The AI agent frameworks that have not been hit yet are not necessarily safer — they may simply not have been audited. If your agent executes LLM-generated code, it needs proper isolation: a microVM, gVisor, or at minimum a subprocess with no network access and a read-only filesystem. String matching on LLM output is not a security control.

## Patch Now

Check your installed versions and upgrade both packages immediately:

```
pip show praisonai praisonaiagents
pip install --upgrade praisonai praisonaiagents
```

Target versions: **praisonai >= 4.6.78** and **praisonaiagents >= 1.5.90**. Full affected version ranges and CVE details are in the [RAXE-2026-050 advisory](https://raxe.ai/labs/advisories/RAXE-2026-050). If you cannot patch immediately, take the service offline or restrict it to localhost-only traffic until you can.
