CVE-2026-56074: PraisonAI tool approval bypass

CISO Take

PraisonAI versions before 1.5.128 cache tool approval decisions by tool name alone, meaning a single user approval of a benign execute_command call silently unlocks all subsequent shell command executions with arbitrary arguments — including those designed to exfiltrate API keys and credentials. Although the CVSS score sits at 5.5 (Medium) due to the local attack vector and required user interaction, the confidentiality impact is rated High and exploitation complexity is Low, making this trivially weaponizable once an attacker can influence the first command the agent presents for approval. With 112 other CVEs recorded against this package and no confirmed patch version in the structured advisory data, teams running PraisonAI-powered agents in any environment with sensitive credentials (cloud provider keys, LLM API tokens, database passwords) should treat this as priority remediation. Upgrade to PraisonAI 1.5.128 or later immediately, rotate any secrets accessible to affected agent processes, and audit agent workflows for any tool whose consent should be per-invocation rather than per-tool-name.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Risk is moderate at the package level but elevated in realistic AI agent deployments. The local attack vector limits remote exploitation, but AI agents routinely run on developer workstations and CI/CD systems holding high-value credentials. Exploitation requires only that an attacker influence the first tool invocation the user approves — a realistic precondition via prompt injection, malicious input data processed by the agent, or social engineering. No public exploit exists and EPSS data is absent, but the technique is mechanically simple and requires no AI or security expertise beyond constructing a benign first command. The 112 other CVEs attributed to this package indicate persistent quality and security hygiene issues that compound residual risk beyond this individual finding.

How does the attack unfold?

Approval Priming

Attacker influences agent input via prompt injection or malicious content to cause the agent to present a benign execute_command call (e.g., 'ls /tmp') that the user approves.

AML.T0051

Cache Poisoning

PraisonAI records approval by tool name only ('execute_command'), persisting blanket authorization for all future invocations of that tool regardless of arguments.

AML.T0107

Silent Command Execution

Attacker triggers subsequent execute_command calls with malicious arguments (credential file reads, environment dumps, network exfiltration) that bypass all approval prompts.

AML.T0053

Credential Exfiltration

API keys, cloud credentials, and secrets accessible on the local system are silently transmitted to attacker-controlled infrastructure without user awareness.

AML.T0086

Approval Priming

Attacker influences agent input via prompt injection or malicious content to cause the agent to present a benign execute_command call (e.g., 'ls /tmp') that the user approves.

AML.T0051

Cache Poisoning

PraisonAI records approval by tool name only ('execute_command'), persisting blanket authorization for all future invocations of that tool regardless of arguments.

AML.T0107

Silent Command Execution

Attacker triggers subsequent execute_command calls with malicious arguments (credential file reads, environment dumps, network exfiltration) that bypass all approval prompts.

AML.T0053

Credential Exfiltration

API keys, cloud credentials, and secrets accessible on the local system are silently transmitted to attacker-controlled infrastructure without user awareness.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	—	No patch
1 dependents 83% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I None

A None

What should I do?

6 steps

Upgrade PraisonAI to version 1.5.128 or later immediately.
If patching is not immediately possible, disable execute_command and shell tool access for agent profiles that do not require it.
Rotate all secrets accessible to PraisonAI agent processes in the affected period: cloud provider keys, LLM API tokens (OpenAI, Anthropic, etc.), SSH keys, database credentials, and .env values.
Implement a secrets manager (HashiCorp Vault, AWS Secrets Manager, or equivalent) to eliminate plaintext credentials on disk in agent execution environments.
Audit agent invocation logs for unexpected execute_command calls, particularly those referencing credential paths, curl, wget, nc, or base64 encoding patterns.
For any custom agent framework with tool approval caching, validate that cache keys include a hash of the tool name plus all invocation arguments, not the name alone.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system access control

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56074?

PraisonAI versions before 1.5.128 cache tool approval decisions by tool name alone, meaning a single user approval of a benign execute_command call silently unlocks all subsequent shell command executions with arbitrary arguments — including those designed to exfiltrate API keys and credentials. Although the CVSS score sits at 5.5 (Medium) due to the local attack vector and required user interaction, the confidentiality impact is rated High and exploitation complexity is Low, making this trivially weaponizable once an attacker can influence the first command the agent presents for approval. With 112 other CVEs recorded against this package and no confirmed patch version in the structured advisory data, teams running PraisonAI-powered agents in any environment with sensitive credentials (cloud provider keys, LLM API tokens, database passwords) should treat this as priority remediation. Upgrade to PraisonAI 1.5.128 or later immediately, rotate any secrets accessible to affected agent processes, and audit agent workflows for any tool whose consent should be per-invocation rather than per-tool-name.

Is CVE-2026-56074 actively exploited?

No confirmed active exploitation of CVE-2026-56074 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56074?

1. Upgrade PraisonAI to version 1.5.128 or later immediately. 2. If patching is not immediately possible, disable execute_command and shell tool access for agent profiles that do not require it. 3. Rotate all secrets accessible to PraisonAI agent processes in the affected period: cloud provider keys, LLM API tokens (OpenAI, Anthropic, etc.), SSH keys, database credentials, and .env values. 4. Implement a secrets manager (HashiCorp Vault, AWS Secrets Manager, or equivalent) to eliminate plaintext credentials on disk in agent execution environments. 5. Audit agent invocation logs for unexpected execute_command calls, particularly those referencing credential paths, curl, wget, nc, or base64 encoding patterns. 6. For any custom agent framework with tool approval caching, validate that cache keys include a hash of the tool name plus all invocation arguments, not the name alone.

What systems are affected by CVE-2026-56074?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Autonomous agent deployments, Local AI assistant environments, Multi-agent orchestration pipelines.

What is the CVSS score for CVE-2026-56074?

CVE-2026-56074 has a CVSS v3.1 base score of 5.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAutonomous agent deploymentsLocal AI assistant environmentsMulti-agent orchestration pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.

Exploitation Scenario

An attacker who can influence the prompts or input data processed by a PraisonAI agent — via prompt injection embedded in a malicious README, a crafted file the agent reads during a coding task, or direct social engineering — first causes the agent to propose a benign shell command such as 'ls /tmp' for user review. The user approves, and PraisonAI caches authorization under the key 'execute_command'. The attacker's payload then triggers subsequent execute_command calls with malicious arguments — for example, reading OPENAI_API_KEY from the process environment and POSTing it to an attacker-controlled endpoint via curl — which execute silently without any further consent prompt. In an agentic developer assistant scenario, this entire sequence can be triggered by processing a single malicious source file, making the compromise completely invisible to the developer who believed they only approved a harmless directory listing.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary CWE-863 Incorrect Authorization

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.