Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions.
Details
The create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping (as shown in agent_centric_example.py:85-86), template expressions in the input are executed rather than treated as literal text. This occurs because:
- No input sanitization or escaping is applied to user-controlled content
- The ACP-enabled runtime auto-approves operations (
approval_mode="auto") - Tools lack context-aware escaping for template syntax
PoC
# Replace the agent.start() call at line 85 with:
result = agent.start('Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned") }}')Successful exploitation creates /tmp/pwned confirming arbitrary command execution. The expression {{7*7}} renders as 49 instead of literal text.
Impact
Attackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement.
Recommended Fix
- Input Sanitization: Implement strict whitelist validation for file content
- Contextual Escaping: Auto-escape template syntax characters (e.g.,
{{ }}) in user input using Jinja2autoescape=True - Sandboxing: Restrict template execution environments using secure eval modes
- Approval Hardening: Require manual approval for file creation operations in production
AnalysisAI
Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.
Technical ContextAI
Root cause is CWE-94 code injection through server-side template injection (SSTI) in Jinja2 engine. The acp_create_file tool accepts user-controlled content from agent.start() without escaping template delimiters, while auto-approval mode bypasses runtime validation. Successful exploitation leverages Python introspection (self.__init__.__globals__.__builtins__) to access os.system() through template context, achieving arbitrary command execution within the rendering sandbox.
RemediationAI
Vendor-released patch: upgrade to PraisonAI version 4.5.115 or later per https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115. Immediate mitigation: enable Jinja2 autoescape=True globally in template initialization; implement strict input validation with whitelisting for file content parameters; disable auto-approval mode (set approval_mode to "manual" for production deployments); apply sandboxed template execution using Jinja2 SandboxedEnvironment class to restrict access to dangerous built-ins. For unpatched systems, disable or restrict access to agent-centric tools requiring template rendering. Review application logs for suspicious template expressions containing __init__, __globals__, or __import__ patterns. Consult vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg for additional context and validation testing procedures.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20639
GHSA-hwg5-x759-7wjg