Praisonai
Monthly
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140) allows network attackers to control browser automation sessions without authentication. The /ws WebSocket endpoint accepts connections from any client omitting the Origin header, enabling attackers to send start_session commands that hijack idle browser-extension sessions and receive all automation outputs. With CVSS 9.1 (Critical) scoring driven by network attack vector, low complexity, and no authentication requirement (AV:N/AC:L/PR:N), this represents a severe risk in any deployment where the default 0.0.0.0 binding exposes the service to untrusted networks. No public exploit identified at time of analysis, though exploitation requires only basic WebSocket client capabilities.
SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to execute arbitrary code via malicious template files fetched from remote sources. The framework downloads and executes template files without integrity verification, origin validation, or user confirmation, creating a supply chain attack vector. Attackers with network access can distribute weaponized templates that execute when retrieved by victims, achieving high confidentiality and integrity compromise with scope change. No public exploit identified at time of analysis.
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippets via an unauthenticated GET /api/agents endpoint accessible from any network origin due to missing authentication middleware and permissive CORS defaults. This information disclosure vulnerability allows remote attackers to enumerate agent configurations without credentials, potentially revealing sensitive operational details that could inform social engineering or reconnaissance attacks against multi-agent deployments.
Unauthenticated modification of the tool approval allowlist in PraisonAI multi-agent system (versions prior to 4.5.128) enables attackers to bypass human-in-the-loop safety controls by injecting dangerous tool names (shell_exec, file_write) into the allowlist via the /api/approval/allow-list gateway endpoint. The ExecApprovalManager then auto-approves agent invocations of these tools, circumventing the approval mechanism's core security function. Attack requires local access; no public exploit identified at time of analysis. CVSS 7.9 reflects high integrity impact with scope change due to compromised safety boundaries in agent workflows.
Disk exhaustion in PraisonAI prior to 4.5.128 allows remote attackers to consume arbitrary disk space by publishing malicious recipe bundles containing highly compressible data that expand dramatically during extraction. The vulnerability exists in the _safe_extractall() function, which validates only path traversal attacks but lacks checks on individual member sizes, cumulative extracted size, or member count before tar extraction, enabling an unauthenticated attacker to trigger denial of service via LocalRegistry.pull() or HttpRegistry.pull() with minimal user interaction.
Unauthenticated resource exhaustion in PraisonAI versions prior to 4.5.128 allows remote attackers to drain OpenAI API credits and exhaust server resources. The /media-stream WebSocket endpoint in the call module accepts connections without authentication or Twilio signature validation, enabling unlimited concurrent sessions to OpenAI's Realtime API using the server's credentials. No public exploit identified at time of analysis. Affects PraisonAI deployments exposing the call module's WebSocket interface.
Memory exhaustion denial of service in PraisonAI's WSGI-based recipe registry server (server.py) affects versions prior to 4.5.128. The vulnerability allows unauthenticated local processes to send arbitrarily large POST requests by spoofing the Content-Length header, causing the server to allocate unbounded memory and crash. Authentication is disabled by default, eliminating any access control barrier. The Starlette-based alternative server (serve.py) includes a 10MB request size limit, but the WSGI implementation lacks equivalent protection. Vendor-released patch: version 4.5.128 or later.
Server-Side Request Forgery in PraisonAI versions prior to 4.5.128 allows unauthenticated remote attackers to force the server to send HTTP POST requests to arbitrary internal or external destinations via an unvalidated webhook_url parameter in the /api/v1/runs endpoint. Attackers can abuse this to access cloud metadata services (AWS/GCP/Azure instance metadata), internal APIs, and network-adjacent services, potentially exposing credentials, configuration data, or triggering unauthorized actions. No public exploit identified at time of analysis. CVSS 7.2 indicates changed scope with low confidentiality and integrity impact.
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140) allows network attackers to control browser automation sessions without authentication. The /ws WebSocket endpoint accepts connections from any client omitting the Origin header, enabling attackers to send start_session commands that hijack idle browser-extension sessions and receive all automation outputs. With CVSS 9.1 (Critical) scoring driven by network attack vector, low complexity, and no authentication requirement (AV:N/AC:L/PR:N), this represents a severe risk in any deployment where the default 0.0.0.0 binding exposes the service to untrusted networks. No public exploit identified at time of analysis, though exploitation requires only basic WebSocket client capabilities.
SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to execute arbitrary code via malicious template files fetched from remote sources. The framework downloads and executes template files without integrity verification, origin validation, or user confirmation, creating a supply chain attack vector. Attackers with network access can distribute weaponized templates that execute when retrieved by victims, achieving high confidentiality and integrity compromise with scope change. No public exploit identified at time of analysis.
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippets via an unauthenticated GET /api/agents endpoint accessible from any network origin due to missing authentication middleware and permissive CORS defaults. This information disclosure vulnerability allows remote attackers to enumerate agent configurations without credentials, potentially revealing sensitive operational details that could inform social engineering or reconnaissance attacks against multi-agent deployments.
Unauthenticated modification of the tool approval allowlist in PraisonAI multi-agent system (versions prior to 4.5.128) enables attackers to bypass human-in-the-loop safety controls by injecting dangerous tool names (shell_exec, file_write) into the allowlist via the /api/approval/allow-list gateway endpoint. The ExecApprovalManager then auto-approves agent invocations of these tools, circumventing the approval mechanism's core security function. Attack requires local access; no public exploit identified at time of analysis. CVSS 7.9 reflects high integrity impact with scope change due to compromised safety boundaries in agent workflows.
Disk exhaustion in PraisonAI prior to 4.5.128 allows remote attackers to consume arbitrary disk space by publishing malicious recipe bundles containing highly compressible data that expand dramatically during extraction. The vulnerability exists in the _safe_extractall() function, which validates only path traversal attacks but lacks checks on individual member sizes, cumulative extracted size, or member count before tar extraction, enabling an unauthenticated attacker to trigger denial of service via LocalRegistry.pull() or HttpRegistry.pull() with minimal user interaction.
Unauthenticated resource exhaustion in PraisonAI versions prior to 4.5.128 allows remote attackers to drain OpenAI API credits and exhaust server resources. The /media-stream WebSocket endpoint in the call module accepts connections without authentication or Twilio signature validation, enabling unlimited concurrent sessions to OpenAI's Realtime API using the server's credentials. No public exploit identified at time of analysis. Affects PraisonAI deployments exposing the call module's WebSocket interface.
Memory exhaustion denial of service in PraisonAI's WSGI-based recipe registry server (server.py) affects versions prior to 4.5.128. The vulnerability allows unauthenticated local processes to send arbitrarily large POST requests by spoofing the Content-Length header, causing the server to allocate unbounded memory and crash. Authentication is disabled by default, eliminating any access control barrier. The Starlette-based alternative server (serve.py) includes a 10MB request size limit, but the WSGI implementation lacks equivalent protection. Vendor-released patch: version 4.5.128 or later.
Server-Side Request Forgery in PraisonAI versions prior to 4.5.128 allows unauthenticated remote attackers to force the server to send HTTP POST requests to arbitrary internal or external destinations via an unvalidated webhook_url parameter in the /api/v1/runs endpoint. Attackers can abuse this to access cloud metadata services (AWS/GCP/Azure instance metadata), internal APIs, and network-adjacent services, potentially exposing credentials, configuration data, or triggering unauthorized actions. No public exploit identified at time of analysis. CVSS 7.2 indicates changed scope with low confidentiality and integrity impact.
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.