Description
PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.
Published: 2026-06-18
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI versions prior to 1.5.128 cache tool‑approval decisions solely by tool name, ignoring the arguments used when the tool is invoked. This flaw allows an attacker who has received an initial, benign approval for a tool to subsequently execute arbitrary shell commands with the same tool, bypassing the approval workflow and enabling silent exfiltration of API keys and other credentials. The weakness is an authorization bypass (CWE‑863) that can lead to data theft and broader system compromise.

Affected Systems

All installations of PraisonAI by the vendor PraisonAI running a version older than 1.5.128 are vulnerable. The issue resides in the tool‑approval subsystem and affects any configuration where the execute_command API is exposed; therefore, every instance of the product before version 1.5.128 is at risk until the vulnerability is patched.

Risk and Exploitability

The CVSS score of 6.8 classifies the vulnerability as moderate severity. No public exploits are documented, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an initial benign command to populate the cache; once populated, an attacker can supply malicious arguments to the same tool without further user interaction. Attackers with local or remote access to the API can thus use this vector, making the risk moderate but urgent to address.

Generated by OpenCVE AI on June 19, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PraisonAI to version 1.5.128 or newer, which resolves the tool‑approval caching issue.
  • If a patch cannot be applied immediately, reconfigure the system to enforce approval for every command invocation or disable the execute_command API until the fix is in place.
  • After remediation, audit PraisonAI logs for suspicious command executions and monitor for unauthorized exfiltration of credentials.

Generated by OpenCVE AI on June 19, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.
Title PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching
First Time appeared Praison
Praison praisonai
Weaknesses CWE-863
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T22:12:22.730Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56074

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses