Description
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
Published: 2026-04-09
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

PraisonAI exposes an execute_command function and shell execution within workflows to user-controlled input. Attackers can inject shell metacharacters through agent workflows, YAML definitions, or LLM-generated tool calls, allowing arbitrary shell commands to run. This elevates the vulnerability to full remote code execution, compromising confidentiality, integrity, and availability of affected systems.

Affected Systems

The vulnerability affects MervinPraison PraisonAI installations running any version prior to 4.5.121. Users who can define or modify agent workflows, upload YAML definitions, or trigger LLM-generated tool calls are at risk.

Risk and Exploitability

With a CVSS score of 9.7 the flaw is considered critical. While EPSS data is not available, the combination of high severity and the ability to inject commands directly from user-controlled inputs suggests a high likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the remote attack vector and explicit command execution capabilities warrant immediate attention. Exploitation requires only the ability to supply or alter workflow definitions, which many users may have if role-based controls are not enforced.

Generated by OpenCVE AI on April 9, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.121 or later

Generated by OpenCVE AI on April 9, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2763-cj5r-c79m PraisonAI Vulnerable to OS Command Injection
History

Thu, 16 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
Title Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T20:14:56.938Z

Reserved: 2026-04-09T00:39:12.206Z

Link: CVE-2026-40088

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:27.597

Modified: 2026-04-16T20:40:45.067

Link: CVE-2026-40088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:27Z

Weaknesses