Skip to main content

EUVD-2026-20638

| CVE-2026-39890 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-04-08 https://github.com/MervinPraison/PraisonAI GHSA-32vr-5gcf-3pw2
RCE Deserialization
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20638
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 19:17 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.

Details

The vulnerability exists in the YAML deserialization process. The js-yaml library's load function is used without specifying a safe schema (e.g., JSON_SCHEMA or DEFAULT_SAFE_SCHEMA). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a !!js/function tag is parsed, the function is evaluated, leading to arbitrary code execution.

The vulnerable code is located in src/agents/agent.service.ts at line 55.

PoC

An attacker can create a malicious agent YAML file with the following content:

yaml
!!js/function >
  function(){ require('child_process').execSync('touch /tmp/pwned') }

Then, upload this file as an agent definition via the API endpoint that uses AgentService.loadAgentFromFile. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command touch /tmp/pwned, demonstrating arbitrary code execution.

Impact

This vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration.

Recommended Fix

Replace the unsafe load method with a safe alternative. Specifically, use the load method with a safe schema, such as JSON_SCHEMA or DEFAULT_SAFE_SCHEMA. For example:

typescript
import yaml from 'js-yaml';
import { JSON_SCHEMA } from 'js-yaml';

// In the loadAgentFromFile method
const agent = yaml.load(fileContent, { schema: JSON_SCHEMA });

Alternatively, if the application requires only a subset of YAML features, consider using the safeLoad method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code.

Additionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.

AnalysisAI

Unsafe YAML deserialization in PraisonAI allows remote code execution through malicious agent definition files. The AgentService.loadAgentFromFile method uses js-yaml.load without safe schema restrictions, permitting dangerous tags like !!js/function that execute arbitrary JavaScript. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious YAML with js/function tag
Delivery
Upload via API endpoint
Exploit
Parse with unsafe js-yaml.load
Execution
Execute arbitrary JavaScript code
Impact
Achieve RCE on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker uploads a malicious YAML agent definition file via the API endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Critical RCE via unsafe YAML deserialization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker uploads malicious YAML via unprotected API endpoint containing `!!js/function` tag with shell command (e.g., reverse shell). Server parses file with unsafe schema, triggering JavaScript function evaluation. …
Remediation Vendor-released patch: Upgrade to PraisonAI version 4.5.115 or later, available at https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all PraisonAI deployments and document current versions; disable or restrict access to agent file upload API endpoints if business-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20638 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy