CVE-2026-61447: PraisonAI: RCE via unsandboxed LLM code execution
CRITICALPraisonAI's CodeAgent runs Python code generated by the LLM directly on the host, with no AST validation, import restrictions, or sandbox — meaning anything the model writes, the OS executes. Because the attack surface is prompt injection (network, no auth, no user interaction, CVSS 10), any untrusted content the agent ingests — a scraped webpage, a tool response, a user message — can steer the LLM into emitting code that reads environment variables and calls out to attacker infrastructure. There's no EPSS score or CISA KEV listing yet since this just published, and no public PoC or Nuclei template has surfaced, but a full working exploit is a GHSA advisory and a VulnCheck writeup away, and agent frameworks that auto-execute LLM output are exactly the kind of high-value, low-effort target opportunistic attackers scan for. Upgrade to PraisonAI 1.6.78 immediately; if you can't patch today, disable or isolate CodeAgent in a locked-down container with no access to production secrets, and audit any environment where this agent has run for signs of unexpected outbound connections or env var access.
What is the risk?
Maximum severity (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) — network-reachable, no privileges or user interaction needed, and a scope change meaning compromise extends beyond the agent process to the full host. The only mitigating factor right now is immaturity of public exploitation: no EPSS score, not in CISA KEV, no known public exploit or Nuclei template as of publication. That window is likely to close quickly given the trivial exploit path (prompt injection → unsandboxed exec) and the fact that this is a well-documented, high-impact vulnerability class in agent frameworks. Any deployment where CodeAgent processes untrusted or externally-influenced input should be treated as actively at risk.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | — | No patch |
Do you use PraisonAI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade to PraisonAI 1.6.78 or later immediately — this is the primary fix. Until patched, disable CodeAgent's Python execution capability or wrap it in a hardened sandbox (gVisor, Firecracker microVM, or a network-isolated container with no mounted credentials). Apply defense in depth even post-patch: AST-based validation/import allowlisting for any LLM-generated code path, least-privilege environment variables (never inject production secrets into agent execution contexts), and egress filtering to block unexpected outbound connections. Detection: monitor for anomalous subprocess spawns, unexpected outbound network calls, or environment variable enumeration (os.environ access) originating from agent processes; review logs for unusual CodeAgent invocations correlated with external/untrusted input sources.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-61447?
PraisonAI's CodeAgent runs Python code generated by the LLM directly on the host, with no AST validation, import restrictions, or sandbox — meaning anything the model writes, the OS executes. Because the attack surface is prompt injection (network, no auth, no user interaction, CVSS 10), any untrusted content the agent ingests — a scraped webpage, a tool response, a user message — can steer the LLM into emitting code that reads environment variables and calls out to attacker infrastructure. There's no EPSS score or CISA KEV listing yet since this just published, and no public PoC or Nuclei template has surfaced, but a full working exploit is a GHSA advisory and a VulnCheck writeup away, and agent frameworks that auto-execute LLM output are exactly the kind of high-value, low-effort target opportunistic attackers scan for. Upgrade to PraisonAI 1.6.78 immediately; if you can't patch today, disable or isolate CodeAgent in a locked-down container with no access to production secrets, and audit any environment where this agent has run for signs of unexpected outbound connections or env var access.
Is CVE-2026-61447 actively exploited?
No confirmed active exploitation of CVE-2026-61447 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-61447?
Upgrade to PraisonAI 1.6.78 or later immediately — this is the primary fix. Until patched, disable CodeAgent's Python execution capability or wrap it in a hardened sandbox (gVisor, Firecracker microVM, or a network-isolated container with no mounted credentials). Apply defense in depth even post-patch: AST-based validation/import allowlisting for any LLM-generated code path, least-privilege environment variables (never inject production secrets into agent execution contexts), and egress filtering to block unexpected outbound connections. Detection: monitor for anomalous subprocess spawns, unexpected outbound network calls, or environment variable enumeration (os.environ access) originating from agent processes; review logs for unusual CodeAgent invocations correlated with external/untrusted input sources.
What systems are affected by CVE-2026-61447?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, autonomous code execution agents, CI/CD and dev-automation pipelines.
What is the CVSS score for CVE-2026-61447?
CVE-2026-61447 has a CVSS v3.1 base score of 10.0 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0050 Command and Scripting Interpreter AML.T0051 LLM Prompt Injection AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through prompt injection to exfiltrate all environment secrets and execute arbitrary code on the host system.
Exploitation Scenario
An attacker identifies a PraisonAI-based agent that processes external content — for example, a customer support agent that summarizes incoming emails or a research agent that ingests scraped web pages. The attacker embeds a prompt injection payload in that content instructing the LLM to generate Python code disguised as a legitimate task (e.g., 'to complete this analysis, run the following helper code'). CodeAgent._execute_python() executes the LLM's output with no validation, and the injected code reads environment secrets and posts them to an attacker-controlled endpoint, or opens a reverse shell for persistent host access — achieving full compromise without the attacker ever directly interacting with the vulnerable system.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-61445 9.9 PraisonAI: AICoder root RCE via unsanitized tool calls
Same package: praisonai GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai