
RAXE Labs dropped nine security vulnerabilities across PraisonAI’s two PyPI packages on July 11. Two are rated CVSS 10.0, one is 9.9, and four ship with vendor-published proof-of-concept code. If you run PraisonAI or praisonaiagents in any networked environment, stop reading and patch first. The last PraisonAI auth bypass was scanned less than four hours after disclosure — this cluster is worse.
What Is PraisonAI?
PraisonAI is an open-source multi-agent orchestration framework supporting 100+ LLMs, MCP tool integration, RAG, and code execution — five lines of code to deploy a working agent workforce. It ships as two PyPI packages: praisonai and praisonaiagents. Both are affected by this advisory.
The Two CVSS 10.0 Flaws
CVE-2026-61447 lives inside CodeAgent._execute_python() in the praisonai package. That function takes Python code generated by the LLM and runs it — no AST validation, no import restrictions, no sandbox. An attacker injects a malicious prompt, the LLM produces harmful Python, and the method executes it. Outcome: arbitrary code execution with full access to environment secrets — API keys, cloud credentials, SSH keys. Fixed in praisonai 1.6.78.
CVE-2026-34938 is in praisonaiagents and it breaks a different assumption: that a three-layer sandbox is hard to escape. It is not, if the sandbox uses pattern matching on Python strings. Pass a str subclass with startswith() overridden and every block list check returns False — no memory corruption, no special privileges, just a custom Python class that lies to the filter. Fixed in praisonaiagents 1.5.90.
Pattern-based block lists are not sandboxes. They are speed bumps.
CVSS 9.9: File Write and Shell Commands as Root
CVE-2026-61445 is in PraisonAI’s AICoder component, which handles LLM-generated file operations. There is no path validation. An attacker submits a crafted chat prompt, bypasses the insufficient sanitization, and writes files anywhere on the host filesystem while executing arbitrary shell commands as root — without authenticating first. Affected: praisonai versions before 4.6.78.
The Recurring Default: No Authentication
CVE-2026-61426 (CVSS 8.6) should not appear twice in the same codebase. PraisonAI binds to all network interfaces, requires no API key, and ships with a wildcard CORS policy. Anyone who reaches the port can hit GET /api/agents to extract your agent instructions and system prompts, then POST /api/chat to invoke those agents — no credentials needed. Fixed in praisonai 1.7.3.
ByteIota covered CVE-2026-44338, a nearly identical auth-off-by-default flaw from June, which was actively scanned 3 hours and 44 minutes after disclosure. Four of the current nine CVEs have published PoC code. Expect faster this time.
The Other Five
The remaining vulnerabilities in RAXE-2026-050 cover three additional attack surfaces:
- CVE-2026-60090 — SQL/CQL Injection: The
dimensionargument in the knowledge-storecreate_collection()function is passed unsanitized into the database query. Standard injection, no tricks required. - CVE-2026-61429 — SSRF via DNS Rebinding: The Crawl4AI/Chromium backend’s SSRF filter is bypassed by combining DNS rebinding with HTTP redirects, coercing the headless browser to reach internal services.
- Three additional CVEs in
praisonaiagentscovering MCP command injection variants, with CVSS scores from 7.7 to 10.0.
The Deeper Problem
PraisonAI is not an outlier. GuardFall research published this month found shell injection bypasses in 10 of the 11 most popular open-source AI coding agents. The pattern is consistent: the framework checks a code or command string against a block list, then passes it to the execution environment — Python, Bash, or Node.js — which re-evaluates it through substitution, expansion, or inheritance. The block list never saw the real payload.
OWASP’s Top 10 for LLM Applications called unsafe code execution a top risk in 2025. The AI agent frameworks that have not been hit yet are not necessarily safer — they may simply not have been audited. If your agent executes LLM-generated code, it needs proper isolation: a microVM, gVisor, or at minimum a subprocess with no network access and a read-only filesystem. String matching on LLM output is not a security control.
Patch Now
Check your installed versions and upgrade both packages immediately:
pip show praisonai praisonaiagents
pip install --upgrade praisonai praisonaiagents
Target versions: praisonai >= 4.6.78 and praisonaiagents >= 1.5.90. Full affected version ranges and CVE details are in the RAXE-2026-050 advisory. If you cannot patch immediately, take the service offline or restrict it to localhost-only traffic until you can.













