Skip to main content

PraisonAI CVE-2026-60087

| EUVDEUVD-2026-44637 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-15 VulnCheck GHSA-r3xw-gcpr-rf26
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Local vector and required user interaction reflect session-scope exploitation with mandatory initial approval; PR:N because no OS account privileges are needed to influence agent arguments; I:H for arbitrary file write capability.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:36 vuln.today

DescriptionCVE.org

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with unreviewed parameters in the same session.

AnalysisAI

PraisonAI's tool approval caching mechanism in versions before 1.6.78 allows an attacker who influences an AI agent's behavior within a session to bypass human-in-the-loop oversight by reusing a single user-granted approval across tool calls with entirely different, unreviewed arguments. The flaw (CWE-863: Incorrect Authorization) directly undermines the security boundary that tool approval is designed to enforce, enabling arbitrary file write operations after approval of a benign operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Inject adversarial prompt into AI agent session
Delivery
Agent requests benign tool invocation
Exploit
Legitimate user approves tool by name (cached)
Execution
Attacker crafts subsequent call to same tool with dangerous arguments
Persist
Cached name-based approval bypasses review gate
Impact
Arbitrary file write executes without user knowledge

Vulnerability AssessmentAI

Exploitation Exploitation requires that: (1) the target deployment runs PraisonAI in a version earlier than 1.6.78 with the tool approval caching feature active; (2) a legitimate user has granted approval for at least one invocation of the targeted tool by name within the current session - this is the mandatory user interaction prerequisite reflected in the CVSS UI:P metric; and (3) the attacker can influence the AI agent's tool call argument construction within that same session, most practically through prompt injection or adversarial user inputs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L) places this squarely in the local-interaction threat model: exploitation is constrained to an active session and requires that a legitimate user has already granted at least one tool approval (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to inject adversarial instructions into an AI agent's prompt within a PraisonAI session first engineers the agent to request a harmless invocation of a file-writing tool - for example, writing to a temporary log path - and waits for the user to approve it. With the tool name now cached as approved, the attacker then crafts a second agent action using the same tool name but targeting a sensitive file path with malicious content, which executes immediately without any additional user review. …
Remediation Upgrade PraisonAI to version 1.6.78 or later, which corrects the approval cache to evaluate tool name and argument payload together, preventing approval reuse across distinct invocations. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-60087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy