Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must supply a local workflow file (AV:L, PR:L) that a user then runs (UI:R); sandbox escape yields full code execution, so C/I/A:H with unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor._exec_inline_python() due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system() calls that bypass sandbox checks and execute arbitrary OS commands with process privileges.
AnalysisAI
OS command execution in PraisonAI before 4.6.78 lets an attacker who can supply a workflow definition escape the inline-Python sandbox and run arbitrary shell commands with the privileges of the agent process. The flaw lives in JobWorkflowExecutor._exec_inline_python(), whose AST-based validation fails to reject import os followed by os.system(), turning a malicious YAML workflow file into RCE. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to supply or modify a PraisonAI workflow file (YAML) that contains an inline-Python step processed by JobWorkflowExecutor._exec_inline_python(), and that step must then be executed - the CVSS UI:P/AV:L metrics confirm the attacker needs local influence over workflow input plus a legitimate user or scheduler running it, not remote unauthenticated access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a real but access-gated risk rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In a shared or automated environment, an attacker who can drop or edit a workflow YAML crafts a step containing `import os` followed by `os.system('<command>')`; the broken AST check passes it, and when a user or scheduler runs the workflow the command executes with the worker process's privileges. Given AV:L and UI:P, the realistic path is a multi-tenant PraisonAI deployment or a CI/agent pipeline that ingests externally-authored workflow files. … |
| Remediation | Vendor-released patch: 4.6.78 - upgrade PraisonAI to 4.6.78 or later as the primary and definitive fix, per GHSA-26mh-57q7-jfvr (https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-26mh-57q7-jfvr). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, conduct a complete inventory of systems running PraisonAI, document all versions, and immediately restrict workflow definition submission to authenticated administrators only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44643
GHSA-qh3g-555w-f82q