PraisonAI versions earlier than 4.5.128 contain a flaw that allows authenticated users to force the system to set its approval_mode to auto, overriding any administrator configuration. The LLM agent can then execute shell commands with subprocess.run(shell=True) without passing through the manual approval gate or the command sanitization filter. This flaw gives attackers the ability to execute arbitrary commands on the host, potentially leading to full system compromise. The weakness is classified as CWE‑863, reflecting a missing or incorrect feature enforcement.

The vulnerability affects the PraisonAI application, as identified by the vendor PraisonAI. All releases before 4.5.128 are affected; newer releases have the hardcoded override removed. System administrators need to check the version of PraisonAI deployed and verify whether they are running a patched build.

The CVSS score of 8.7 marks this issue as high severity. EPSS data is not available, but the lack of a public exploit does not diminish the risk for organizations that rely on this software. Because the flaw depends on possessing authenticated access to the web interface and the ability to instruct the LLM agent, attackers likely must be users with privileged roles or otherwise authorized to submit queries. Once the condition is met, the attacker can achieve remote code execution by running arbitrary shell commands, which directly impacts confidentiality, integrity, and availability of the underlying host. The vulnerability is not listed in the CISA KEV catalog yet.