Skip to main content

PraisonAI CVE-2026-60085

| EUVDEUVD-2026-44636 HIGH
Improper Check for Dropped Privileges (CWE-273)
2026-07-15 VulnCheck GHSA-65c8-r727-2mpj
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Ignored sandbox allows attacker-influenced arbitrary command execution with no auth or interaction modeled, yielding full confidentiality, integrity, and availability impact; scope unchanged as the OS is the sandbox's own host.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:26 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
HIGH 8.7

DescriptionCVE.org

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blocked_commands, blocked_paths, blocked_imports, allow_subprocess, and allow_file_write restrictions are completely ignored. Attackers can execute arbitrary subprocess commands, read sensitive files, and perform destructive operations despite explicit security policy configuration.

AnalysisAI

Security-policy bypass in PraisonAI before 4.6.78 renders the default Subprocess Sandbox backend inert, so administrator-defined blocked_commands, blocked_paths, blocked_imports, allow_subprocess, and allow_file_write restrictions are silently ignored. Any actor able to feed instructions into a PraisonAI agent can execute arbitrary subprocess commands, read sensitive files, and perform destructive file operations even though an explicit deny policy is configured. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed PraisonAI agent interface
Delivery
Submit task invoking blocked command
Exploit
Sandbox skips policy check
Execution
Subprocess executes arbitrary command
Impact
Read secrets or destroy files

Vulnerability AssessmentAI

Exploitation Exploitation requires that the deployment uses the default Subprocess Sandbox backend and that an attacker can influence the commands/tasks a PraisonAI agent executes (e.g., via a user-facing agent interface or untrusted content the agent processes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately strong but partly conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application built on PraisonAI exposes an agent endpoint and configures the Subprocess Sandbox with blocked_commands including 'rm' and allow_subprocess set to deny, assuming it is protected. An attacker submits a task that induces the agent to invoke a shell command; because the policy is never checked, the command runs and the attacker reads credentials from the filesystem or deletes data. …
Remediation Vendor-released patch: upgrade PraisonAI to version 4.6.78 or later, which restores enforcement of the sandbox policy; see the advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-5r6c-gj4g-r697. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all PraisonAI deployments, identify installed versions, and document exposure scope-specifically which systems are running versions before 4.6.78 and whether sensitive data or critical infrastructure is accessible through affected agents. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-60085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy