Skip to main content

PraisonAI CVE-2026-60086

| EUVDEUVD-2026-42894 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-07-10 VulnCheck GHSA-5c3v-h6hw-4gx7
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible with no authentication required; integrity impact limited to model instruction manipulation with no confidentiality or availability impact to the vulnerable system.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:57 vuln.today

DescriptionCVE.org

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are classified as HIGH threat level and pass through unblocked to reach the model.

AnalysisAI

Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted single/double-vector prompt to PraisonAI endpoint
Delivery
Detector pipeline fires on one or two families only
Exploit
Threat classified as HIGH, below CRITICAL block threshold
Execution
Defense gate passes injection through unblocked
Persist
Injected instructions reach underlying language model
Impact
Model executes attacker-supplied directives

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deployment runs PraisonAI in a version prior to 4.6.78 with its built-in prompt injection defense active and that user-controlled input reaches the detector pipeline. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N) reflects network-reachable, unauthenticated exploitation with low attack complexity and limited integrity impact to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted user message to an externally accessible PraisonAI-powered application, deliberately constructing the payload to trigger exactly one or two detector families - for example, combining a role-override instruction with a subtle data-extraction directive that avoids a third detection signal. The defense classifier rates the input HIGH rather than CRITICAL and passes it through unblocked; the model receives and executes the injected instructions, potentially leaking system prompt contents or performing unintended tool calls. …
Remediation Upgrade PraisonAI to version 4.6.78 or later, as confirmed by the vendor security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4r3p-w3mc-5v34. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-60086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy