AI agent framework PraisonAI hit by 5 flaws, one a max-severity 10.0 RCE (CVE-2026-61447): update now
PraisonAI, a popular tool for delegating work to AI, has five flaws including the max-severity (10.0) CVE-2026-61447. A single crafted AI instruction can run malicious code on the server and steal secrets like API keys. Past PraisonAI flaws were attacked within hours of disclosure. Update both packages now.
Table of contents
PraisonAI, a popular tool for delegating work to AI, has five flaws including the max-severity (10.0) CVE-2026-61447. A single crafted AI instruction can run malicious code on the server and steal secrets like API keys. Past PraisonAI flaws were attacked within hours of disclosure. Update both packages now.
PraisonAI, a popular tool that lets AI handle research, write and run programs, and even operate a machine on your behalf, has a serious flaw that lets an attacker run malicious code on the server where the tool runs β simply by feeding the AI a crafted instruction β and steal secrets like API keys wholesale. The central identifier is CVE-2026-61447, rated the maximum severity of 10.0 out of 10. On the same day, five flaws in total were disclosed for this one product.
PraisonAI is a fast-rising framework for building AI agents (an AI agent is an AI that thinks and acts on your behalf), with more than 8,100 stars on GitHub. The headline flaw lives in the feature that lets the AI "write and run this code": the generated program is executed with no inspection at all, so slipping one malicious line into the AI's instructions is enough to take over the server. And PraisonAI has a history of repeated flaws β one earlier bug saw real attacks begin just 3 hours and 44 minutes after disclosure. If you use it, update to the latest version now.
What is PraisonAI
PraisonAI is a tool for linking several AIs together like a "team" to automatically handle research, planning, coding, and execution. It is open-source software published by developer Mervin Praison, marketed as "hiring a 24/7 AI workforce." Its appeal β running in just a few lines of code and supporting 100+ AI models β has made it spread quickly among developers who want to embed AI into their work. It has over 8,100 GitHub stars and once reached #2 on GitHub's trending ranking in April 2026.
On this blog we have also published a hands-on test of such agents, a record of running a 32-member AI team single-handedly. Convenient as it is, giving an AI "external tools" to do real work carries a new kind of danger. Similar flaws have been reported in Langflow, where merely opening a web page could hijack an AI agent, in the AI gateway LiteLLM, and in a connector that lets AI operate server fleets and leaked admin credentials. What sets PraisonAI apart is that it includes a top-tier "10.0" flaw.
Why it is dangerous, and how far the damage reaches
All five flaws disclosed together exploit the same weakness: through the "instructions" given to the AI or the "external data" the AI reads, the server running the tool can be operated illicitly. The most severe, CVE-2026-61447, has a hole in the feature where the AI writes and runs programs, so an attacker who mixes a crafted line into the AI's instructions can run any program on the server. This technique is called prompt injection (secretly injecting a command into the AI's prompt). The U.S. National Institute of Standards and Technology (NIST) classifies it as code injection (CWE-94).
The impact is concrete. Once arbitrary programs can run, the tool's environment variables (secret settings such as OpenAI or Anthropic API keys and database connection strings) are stolen wholesale. With your API key, an attacker can rack up huge bills using AI on your account, or pivot into connected services. A separate flaw (CVE-2026-61445) can also overwrite files and run commands, and since PraisonAI runs with administrator privileges when deployed via Docker, the server itself can be completely taken over.
The scary part is that the user need not even type the malicious instruction themselves. AI agents automatically read web pages, issue tickets, and imported documents to do their work. If an attacker plants a command inside that data, the AI mistakes it for a "work order" and executes it. AI being used for both attack and defense overlaps with the structure by which AI accelerates cyberattacks.
Who targets this hole, and what happens
The likely attackers are financially motivated actors after the API keys used for AI services and the internal systems they connect to, and scanner groups that automatically hunt disclosed flaws and try to break in indiscriminately. Tools like PraisonAI often hold the keys to multiple AI services and databases at once, making them a "key ring" that lets attackers reach many assets in a chain β a prize target.
The attack flow goes like this. The attacker plants a crafted instruction in advance inside web pages, documents, or tickets that the AI agent will read, and the moment the user has the AI process it, a program that steals information runs on the server. The user thinks they only asked the AI to do the usual work, yet API keys and connection details are quietly siphoned off. If PraisonAI is exposed directly to the internet, an attacker may not even need to inject instructions and can strike it directly from outside.
As a result, a targeted developer or company may have its AI service usage fees fraudulently drained, its connected internal systems and databases breached, or its server hijacked and turned into a launchpad for further attacks. The mechanism of giving AI convenient tools is spreading fast, but when those tools accept external input defenselessly, the AI itself is made to work as the attacker's henchman β a new risk now laid bare.
A technical look at what is happening
All five PraisonAI flaws share one root cause: AI output or external input is fed into an execution path without validation. Here they are one by one. Note that PraisonAI is split into two components (packages), praisonai and praisonaiagents, and the component to fix and the fixed version differ per flaw.
CVE-2026-61447: run arbitrary programs from an AI instruction, steal secrets (severity 10.0)
The "CodeAgent" feature that has the AI write and run programs executes the AI-generated Python directly, with no content inspection (AST validation), no restriction on dangerous calls, and no sandbox. A safety flag (sandbox=True) exists but is ignored and does nothing. Via prompt injection, an attacker makes the AI write malicious code β for example, a program that reads API keys from environment variables and sends them out. No login is required (no privileges needed). Affected: praisonaiagents up to 1.6.77, fixed in 1.6.78. Reported by anushkavirgaonkar.
CVE-2026-61445: file writes and command execution seize admin privileges (severity 9.9)
The "AICoder" coding-assist feature fails to validate the file save location. Mixing an absolute path into the destination bypasses the safety check (e.g. writing to a scheduled-task location like /etc/cron.d/ or SSH key files), from which any program can run. A command-execution feature also passes input through untouched, so slipping "run this command" into the AI chat makes it run on the server. According to the vendor advisory, PraisonAI runs as root under Docker, so the damage reaches the whole server. Affected: praisonai up to 4.6.77, fixed in 4.6.78.
CVE-2026-60090: injecting illicit commands into the database (severity 9.8)
The "knowledge store" feature that gives AI memory (the part using PGVector or Cassandra databases) embeds a user-derived value into the database command without validation. The "dimension" field, which should be a number, is not checked at runtime, so passing a crafted string like 3); DROP TABLE tenant_secrets; -- injects an illicit command into the database (the classic SQL/CQL injection technique), enabling data theft or deletion. According to NVD, affected: praisonai before 4.6.78, fixed in 4.6.78.
CVE-2026-61426: defenseless defaults let anyone connect to the AI (severity 8.6)
PraisonAI's default configuration itself was the problem. It opened connections on all interfaces, required no API key (passphrase), and disabled cross-site access control (CORS) by default, so if exposed to the internet, anyone could peek at the AI agent's instructions (system prompt) or run the AI without authentication. Affected: praisonaiagents before 1.7.3, fixed in 1.7.3. PraisonAI has previously shipped the same kind of "authentication disabled by default" flaw β a recurring pattern.
CVE-2026-61429: illicit access to internal networks (SSRF, severity 8.5)
The web-page fetching feature (the part using Crawl4AI / Chromium) cannot fully block a technique (SSRF) that fakes the access target to reach internal networks. By "DNS rebinding" β swapping DNS resolution midway β or by abusing redirects, an attacker can reach internal company servers or cloud internal data that should be off-limits. Affected: praisonaiagents before 1.6.78, fixed in 1.6.78.
Affected versions and remediation
The fixed versions differ per flaw, and the component to fix is split across two packages, praisonai and praisonaiagents. Updating only one does not close everything. To resolve them all, update praisonai to 4.6.78 or later and praisonaiagents to 1.7.3 or later β both to the latest available.
| Identifier | What it does | Severity | Package | Fixed in |
|---|---|---|---|---|
| CVE-2026-61447 | Run programs from an instruction | 10.0 | praisonaiagents | 1.6.78 |
| CVE-2026-61445 | File write + command execution (root) | 9.9 | praisonai | 4.6.78 |
| CVE-2026-60090 | Inject illicit database commands | 9.8 | praisonai | 4.6.78 |
| CVE-2026-61426 | Defenseless defaults, anyone can connect | 8.6 | praisonaiagents | 1.7.3 |
| CVE-2026-61429 | Illicit access to internal networks (SSRF) | 8.5 | praisonaiagents | 1.6.78 |
Beyond updating, it is important not to expose PraisonAI directly to the internet. Running it externally accessible lets attackers hit the defenseless defaults (CVE-2026-61426) directly. Limit it to an internal network or local environment, and if needed, always enable API-key authentication. Also narrow the external data (web pages, documents, tickets) the AI agent reads to trusted sources, to shrink the entry point for prompt injection. Such AI connectors should always be included in the scope of continuously checking the OSS supply chain (the safety of external components).
Why flaws keep recurring in PraisonAI
This is not the first time serious flaws have surfaced in PraisonAI. In May 2026, a flaw where the API server shipped with authentication disabled (CVE-2026-44338) was disclosed, and according to security firm Sysdig, a scanner began probing the hole just 3 hours and 44 minutes after the advisory went public. Earlier flaws include a severity-10.0 "sandbox escape" (CVE-2026-34938) and a bundled "nine-vulnerability cluster" advisory (RAXE-2026-050).
The common thread is a design habit of feeding AI output and external input into command execution, file operations, and databases without validation. The AI-agent field moves fast, tends to prioritize adding features, and easily defers input validation and privilege narrowing. Microsoft, too, warns of this danger common to AI-agent platforms, framing it as "when prompts become shells (a window for running commands)." If you use PraisonAI, make updating and privilege design a habit, on the premise that "the more convenient a new feature, the less it may yet be hardened."
What is confirmed, and what is still unknown
β Confirmed facts
- βFive flaws were disclosed for PraisonAI on the same day; the most severe, CVE-2026-61447, is rated 10.0 and allows arbitrary program execution via prompt injection (NVD)
- βThe components to fix split into
praisonai(fixed in 4.6.78) andpraisonaiagents(fixed in 1.7.3); updating only one closes nothing fully (NVD) - βPraisonAI has repeatedly had serious flaws; CVE-2026-44338 was targeted by an attack scanner 3h44m after disclosure (Sysdig)
? Not yet confirmed
- ?As of publication, there is no official report that these five flaws have been exploited in real attacks
- ?They are not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication (check the latest KEV status here)
- ?Given that this product's past flaws were attacked right after disclosure, early exploitation attempts this time also seem likely
What you can do right now
The core of remediation is clear. The top priority is to update both PraisonAI packages to the latest available version (targets: praisonai 4.6.78+ and praisonaiagents 1.7.3+). Fixed versions are available from PyPI (Python's package distribution site) and the GitHub releases page. Delegating work to AI is convenient, but it also means more keys are held, so a takeover does more damage.
Also, it is important to not expose it directly to the internet and to narrow the AI's privileges and the data it reads. If external access is unnecessary, limit it to a local environment and enable API-key authentication. Disable the program-execution and file-operation features if you do not need them. Do not let the AI process untrusted external data as-is. If you were already running it exposed, re-issue all API keys and database connection details you had placed in environment variables, just in case.
| Who | What to do now | Priority |
|---|---|---|
| Developers using it | Update both packages Disable unneeded exec/file features | Top |
| Running it exposed | Restrict to local/internal Enable API-key auth | Top |
| Suspected compromise | Re-issue keys / connection info Audit exec logs and billing | High |
FAQ
Q. If I don't expose PraisonAI and use it only on my own PC, am I safe?
A. Not exposing it to the internet greatly reduces the risk of the defenseless defaults (CVE-2026-61426) being hit directly. However, the most severe CVE-2026-61447 can trigger from instructions planted in external data the AI reads (web pages, documents), so even local use is not risk-free. Always update to the latest version.
Q. How do I check my version?
A. Run pip show praisonai and pip show praisonaiagents to see each version. If praisonai is before 4.6.78 or praisonaiagents is before 1.7.3, you are affected by one of these flaws. Update both to the latest.
Q. Why do I need to update two packages separately?
A. PraisonAI consists of two packages, praisonai and praisonaiagents, and these flaws span both. Updating only one leaves the other's hole open. Updating both to the latest is the reliable fix.
Q. Is it already being exploited?
A. As of publication, there is no official report that these five flaws have been used in real attacks, and they are not in CISA's KEV catalog. However, PraisonAI has a precedent of past flaws being attacked right after disclosure, so early targeting seems likely this time too. Updating early is safer.
In summary
This case is about PraisonAI β a popular tool that can be entrusted with research, coding, and even operating a machine β feeding AI output and external input into execution paths without proper checking, so a single instruction to the AI can take over the server. The central CVE-2026-61447 is rated 10.0, exploitable without login, and can steal secrets like API keys wholesale. Five flaws were disclosed on the same day, and the components to fix split into two.
The saving grace is that the vendor has already published fixes. Update both praisonai and praisonaiagents to the latest, avoid exposing it directly to the internet, and narrow the AI's privileges and the data it reads. Keep these basics and you close most entry points. The mechanism of giving AI tools is spreading fast, but neglect validation of the input those tools receive and the AI itself can become the attacker's henchman. PraisonAI is a product with a precedent of being attacked right after disclosure. Treat convenience and danger as two sides of the same coin, and get updates and privilege design done early. We will report again if new exploitation emerges.
Sources
- βΈ NVD - CVE-2026-61447 (code execution, 10.0)
- βΈ NVD - CVE-2026-61445 (file write + command execution, 9.9)
- βΈ NVD - CVE-2026-60090 (SQL/CQL injection, 9.8)
- βΈ NVD - CVE-2026-61426 (insecure defaults, 8.6)
- βΈ NVD - CVE-2026-61429 (SSRF, 8.5)
- βΈ GitHub Security Advisory - CodeAgent RCE (GHSA-2xv2-w8cq-5gxw)
- βΈ GitHub Security Advisory - AICoder file write / command execution (GHSA-9mp3-24cc-77mg)
- βΈ Sysdig - PraisonAI authentication bypass exploited in under 4 hours
- βΈ Microsoft Security Blog - When prompts become shells: RCE in AI agent frameworks
- βΈ PraisonAI official repository (GitHub)

Makoto Horikawa
Backend Engineer / AWS / Django