Skip to main content

PraisonAI CVE-2026-61434

| EUVDEUVD-2026-42899 HIGH
OS Command Injection (CWE-78)
2026-07-10 VulnCheck GHSA-wrw8-384c-cg76
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable execution surface (AV:N/AC:L) but requires low-privileged access to submit commands (PR:L); allowlist escape yields full file read, deletion, and binary execution (C/I/A:H) within the same system, so S:U.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:27 vuln.today

DescriptionCVE.org

PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands via find's built-in -exec, -execdir, and -delete actions. Attackers can craft find commands with these built-in actions to read blocked files, delete files, or execute non-allowlisted binaries without triggering shell metacharacter filters.

AnalysisAI

Command execution allowlist bypass in PraisonAI before 4.6.78 lets a low-privileged attacker who can supply commands to the framework's restricted-execution feature slip past its shell-metacharacter filters by abusing find's built-in -exec, -execdir, and -delete actions. Because those actions run binaries and delete files entirely inside the find process, they never trip the metacharacter allowlist, so the attacker can read blocked files, delete arbitrary files, and launch non-allowlisted binaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to PraisonAI command execution
Delivery
Craft find command with -exec/-delete
Exploit
Bypass metacharacter allowlist filter
Execution
Run non-allowlisted binary via find
Impact
Read blocked files or delete data

Vulnerability AssessmentAI

Exploitation Exploitation requires a target running PraisonAI before 4.6.78 with its restricted shell-command-execution feature enabled and reachable by the attacker, and with 'find' (or an equivalent) permitted by the command allowlist - the exact primitives abused are find's built-in -exec, -execdir, and -delete actions, which execute binaries and delete files without shell metacharacters and thus evade the metacharacter filter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, score 8.7) indicates a network-reachable, low-complexity attack requiring some pre-existing privilege (PR:L) and no user interaction, yielding total compromise of the vulnerable system's confidentiality, integrity, and availability with no scope change (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged access to a PraisonAI deployment that exposes restricted shell execution submits a command such as 'find / -name id_rsa -exec cat {} ;' or 'find /data -name "*.db" -delete', which passes the metacharacter allowlist because no shell operators are present. The -exec action then runs cat (or any non-allowlisted binary) to exfiltrate blocked files while -delete destroys data, giving the attacker read and destructive capabilities beyond the intended allowlist. …
Remediation Vendor-released patch: 4.6.78 - upgrade PraisonAI to 4.6.78 or later, the primary and recommended fix (see GHSA-cv3g-hj65-pcfh). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running PraisonAI before 4.6.78; restrict network access to these instances to trusted sources only; review access logs for suspicious command submissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-61434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy