praisonai
PyPI41 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting praisonaipage 1 of 1
- CVE-2026-34934CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.902026-04-03
vulnerable: 0.0.1 ... 4.5.9 (651 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID vi…
- CVE-2026-34935CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.692026-04-03
vulnerable: 4.5.15 ... 4.5.68 (48 versions)
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist ch…
- CVE-2026-34936HIGHCVSS 7.7EG 7.7✓ Fixed in 4.5.902026-04-03
vulnerable: 0.0.1 ... 4.5.9 (651 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() …
- CVE-2026-34939MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.902026-04-03
vulnerable: 0.0.1 ... 4.5.9 (651 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes ca…
- CVE-2026-34952CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.5.972026-04-03
vulnerable: 0.0.1 ... 4.5.96 (656 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate regist…
- CVE-2026-34953CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.5.972026-04-03
vulnerable: 0.0.1 ... 4.5.96 (656 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bea…
- CVE-2026-34955HIGHCVSS 8.8EG 8.8✓ Fixed in 4.5.972026-04-04
vulnerable: 0.0.1 ... 4.5.96 (656 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous comma…
- CVE-2026-35615HIGHCVSS 7.5EG 7.5✓ Fixed in 1.5.1132026-04-07
vulnerable: 0.0.1 ... 1.0.9 (100 versions)
PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This make…
- CVE-2026-39305CRITICALCVSS 9.0EG 9.0✓ Fixed in 4.5.1132026-04-07
vulnerable: 0.0.1 ... 4.5.98 (671 versions)
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspa…
- CVE-2026-39306HIGHCVSS 7.3EG 7.3✓ Fixed in 4.5.1132026-04-07
vulnerable: 0.0.1 ... 4.5.98 (671 versions)
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malic…
- CVE-2026-39307HIGHCVSS 8.1EG 8.1✓ Fixed in 4.5.1132026-04-07
vulnerable: 0.0.1 ... 4.5.98 (671 versions)
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g…
- CVE-2026-39308HIGHCVSS 7.1EG 7.1✓ Fixed in 4.5.1132026-04-07
vulnerable: 0.0.1 ... 4.5.98 (671 versions)
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manife…
- CVE-2026-39889HIGHCVSS 7.5EG 7.5✓ Fixed in 4.5.1152026-04-08
vulnerable: 0.0.1 ... 4.5.98 (673 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with …
- CVE-2026-39890CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.1152026-04-08
vulnerable: 0.0.1 ... 4.5.98 (673 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an a…
- CVE-2026-39891HIGHCVSS 8.8EG 8.8✓ Fixed in 4.5.1152026-04-08
vulnerable: 0.0.1 ... 4.5.98 (673 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed dire…
- CVE-2026-40088CRITICALCVSS 9.6EG 9.6✓ Fixed in 4.5.1212026-04-09
vulnerable: 0.0.1 ... 4.5.98 (678 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attacke…
- CVE-2026-40112MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not list…
- CVE-2026-40113HIGHCVSS 8.4EG 8.4✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without v…
- CVE-2026-40114HIGHCVSS 7.2EG 7.2✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP…
- CVE-2026-40115MEDIUMCVSS 6.2EG 6.2✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined wi…
- CVE-2026-40116HIGHCVSS 7.5EG 7.5✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an …
- CVE-2026-40148MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulativ…
- CVE-2026-40149HIGHCVSS 7.9EG 7.9✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding danger…
- CVE-2026-40151MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated…
- CVE-2026-40154CRITICALCVSS 9.3EG 9.3✓ Fixed in 4.5.1282026-04-09
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks t…
- CVE-2026-40156HIGHCVSS 7.8EG 7.8✓ Fixed in 4.5.1282026-04-10
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_fr…
- CVE-2026-40157HIGHCVSS 8.8EG 8.8✓ Fixed in 4.5.1282026-04-10
vulnerable: 2.8.3 ... 4.5.98 (296 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write …
- CVE-2026-40158HIGHCVSS 8.6EG 8.6✓ Fixed in 4.5.1282026-04-10
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_…
- CVE-2026-40159MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.5.1282026-04-10
vulnerable: 0.0.1 ... 4.5.98 (685 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). The…
- CVE-2026-40287HIGHCVSS 8.4EG 8.4✓ Fixed in 4.5.1392026-04-14
vulnerable: 0.0.1 ... 4.5.98 (695 versions)
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (impor…
- CVE-2026-40288CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.1392026-04-14
vulnerable: 0.0.1 ... 4.5.98 (695 versions)
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow…
- CVE-2026-40289CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.5.1392026-04-14
vulnerable: 0.0.1 ... 4.5.98 (695 versions)
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentic…
- CVE-2026-40315CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.1332026-04-14
vulnerable: 0.0.1 ... 4.5.98 (690 versions)
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings wit…
- CVE-2026-41496HIGHCVSS 8.1EG 8.1✓ Fixed in 4.5.1492026-05-08
vulnerable: 0.0.1 ... 4.5.98 (700 versions)
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, as…
- CVE-2026-41497CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.5.1492026-05-08
vulnerable: 0.0.1 ... 4.5.98 (700 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python,…
- CVE-2026-44334HIGHCVSS 8.4EG 8.4✓ Fixed in 4.6.322026-05-08
vulnerable: 4.5.139 ... 4.6.9 (28 versions)
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import si…
- CVE-2026-44336CRITICALCVSS 9.6EG 9.6✓ Fixed in 4.6.342026-05-08
vulnerable: 0.0.1 ... 4.6.9 (725 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praison…
- CVE-2026-44337MEDIUMCVSS 6.3EG 6.3✓ Fixed in 4.6.342026-05-08
vulnerable: 2.4.1 ... 4.6.9 (358 versions)
PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arg…
- CVE-2026-44338HIGHCVSS 7.3EG 7.3✓ Fixed in 4.6.342026-05-08
vulnerable: 2.5.6 ... 4.6.9 (348 versions)
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /age…
- CVE-2026-44339HIGHCVSS 8.6EG 8.6✓ Fixed in 4.6.372026-05-08
vulnerable: 0.0.1 ... 4.6.9 (728 versions)
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool lis…
- CVE-2026-44340HIGHCVSS 7.5EG 7.5✓ Fixed in 4.6.372026-05-08
vulnerable: 0.0.1 ... 4.6.9 (728 versions)
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments,…
Check whether praisonai is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for praisonai CVEs against the assets you own.
Start Free Scan →