CVE-2026-61447: PraisonAI: RCE via unsandboxed LLM code execution

CRITICAL
Published July 11, 2026
CISO Take

PraisonAI's CodeAgent runs Python code generated by the LLM directly on the host, with no AST validation, import restrictions, or sandbox — meaning anything the model writes, the OS executes. Because the attack surface is prompt injection (network, no auth, no user interaction, CVSS 10), any untrusted content the agent ingests — a scraped webpage, a tool response, a user message — can steer the LLM into emitting code that reads environment variables and calls out to attacker infrastructure. There's no EPSS score or CISA KEV listing yet since this just published, and no public PoC or Nuclei template has surfaced, but a full working exploit is a GHSA advisory and a VulnCheck writeup away, and agent frameworks that auto-execute LLM output are exactly the kind of high-value, low-effort target opportunistic attackers scan for. Upgrade to PraisonAI 1.6.78 immediately; if you can't patch today, disable or isolate CodeAgent in a locked-down container with no access to production secrets, and audit any environment where this agent has run for signs of unexpected outbound connections or env var access.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

Maximum severity (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) — network-reachable, no privileges or user interaction needed, and a scope change meaning compromise extends beyond the agent process to the full host. The only mitigating factor right now is immaturity of public exploitation: no EPSS score, not in CISA KEV, no known public exploit or Nuclei template as of publication. That window is likely to close quickly given the trivial exploit path (prompt injection → unsandboxed exec) and the fact that this is a well-documented, high-impact vulnerability class in agent frameworks. Any deployment where CodeAgent processes untrusted or externally-influenced input should be treated as actively at risk.

How does the attack unfold?

Initial Access
Attacker embeds a prompt injection payload in content the PraisonAI agent ingests (email, webpage, tool response, or direct query).
AML.T0051
Execution
The manipulated LLM output causes CodeAgent._execute_python() to run attacker-controlled Python with no AST validation, import restrictions, or sandbox.
AML.T0050
Credential Access
The executed code enumerates and reads environment variables, harvesting all secrets available to the host process.
AML.T0055
Impact
Harvested secrets and further arbitrary code execution give the attacker full compromise of the host running the agent.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip No patch
1 dependents 74% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. Upgrade to PraisonAI 1.6.78 or later immediately — this is the primary fix. Until patched, disable CodeAgent's Python execution capability or wrap it in a hardened sandbox (gVisor, Firecracker microVM, or a network-isolated container with no mounted credentials). Apply defense in depth even post-patch: AST-based validation/import allowlisting for any LLM-generated code path, least-privilege environment variables (never inject production secrets into agent execution contexts), and egress filtering to block unexpected outbound connections. Detection: monitor for anomalous subprocess spawns, unexpected outbound network calls, or environment variable enumeration (os.environ access) originating from agent processes; review logs for unusual CodeAgent invocations correlated with external/untrusted input sources.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
NIST AI RMF
MEASURE-2.7 - AI system security and resilience evaluation
OWASP LLM Top 10
LLM01 - Prompt Injection LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-61447?

PraisonAI's CodeAgent runs Python code generated by the LLM directly on the host, with no AST validation, import restrictions, or sandbox — meaning anything the model writes, the OS executes. Because the attack surface is prompt injection (network, no auth, no user interaction, CVSS 10), any untrusted content the agent ingests — a scraped webpage, a tool response, a user message — can steer the LLM into emitting code that reads environment variables and calls out to attacker infrastructure. There's no EPSS score or CISA KEV listing yet since this just published, and no public PoC or Nuclei template has surfaced, but a full working exploit is a GHSA advisory and a VulnCheck writeup away, and agent frameworks that auto-execute LLM output are exactly the kind of high-value, low-effort target opportunistic attackers scan for. Upgrade to PraisonAI 1.6.78 immediately; if you can't patch today, disable or isolate CodeAgent in a locked-down container with no access to production secrets, and audit any environment where this agent has run for signs of unexpected outbound connections or env var access.

Is CVE-2026-61447 actively exploited?

No confirmed active exploitation of CVE-2026-61447 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-61447?

Upgrade to PraisonAI 1.6.78 or later immediately — this is the primary fix. Until patched, disable CodeAgent's Python execution capability or wrap it in a hardened sandbox (gVisor, Firecracker microVM, or a network-isolated container with no mounted credentials). Apply defense in depth even post-patch: AST-based validation/import allowlisting for any LLM-generated code path, least-privilege environment variables (never inject production secrets into agent execution contexts), and egress filtering to block unexpected outbound connections. Detection: monitor for anomalous subprocess spawns, unexpected outbound network calls, or environment variable enumeration (os.environ access) originating from agent processes; review logs for unusual CodeAgent invocations correlated with external/untrusted input sources.

What systems are affected by CVE-2026-61447?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, autonomous code execution agents, CI/CD and dev-automation pipelines.

What is the CVSS score for CVE-2026-61447?

CVE-2026-61447 has a CVSS v3.1 base score of 10.0 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksautonomous code execution agentsCI/CD and dev-automation pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0050 Command and Scripting Interpreter
AML.T0051 LLM Prompt Injection
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE-2.7
OWASP LLM Top 10: LLM01, LLM02, LLM08

What are the technical details?

Original Advisory

PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through prompt injection to exfiltrate all environment secrets and execute arbitrary code on the host system.

Exploitation Scenario

An attacker identifies a PraisonAI-based agent that processes external content — for example, a customer support agent that summarizes incoming emails or a research agent that ingests scraped web pages. The attacker embeds a prompt injection payload in that content instructing the LLM to generate Python code disguised as a legitimate task (e.g., 'to complete this analysis, run the following helper code'). CodeAgent._execute_python() executes the LLM's output with no validation, and the injected code reads environment secrets and posts them to an attacker-controlled endpoint, or opens a reverse shell for persistent host access — achieving full compromise without the attacker ever directly interacting with the vulnerable system.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 11, 2026
Last Modified
July 11, 2026
First Seen
July 11, 2026

Related Vulnerabilities