CVE-2026-61447: PraisonAI prompt injection to remote code execution
TL;DR - PraisonAI before 1.6.78 is vulnerable to critical RCE via unsafe execution of LLM-generated Python. - Users running CodeAgent workflows should upgrade to 1.6.78 and review for secret exposure. - Treat as urgent because compromise can lead to host takeover and environment variable theft.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-61447 |
| CVSS Score | 10.0 (NVD) |
| Attack Vector | Remote, via attacker-influenced prompt injection leading to malicious LLM-generated Python |
| Privileges Required | Unknown in the published summary; defenders should assume low or no attacker privileges may be sufficient where untrusted prompts reach the agent |
| Patch Available | Yes, fixed in PraisonAI 1.6.78 |
CVE-2026-61447 is a critical remote code execution flaw in PraisonAI. According to the NVD description, the issue exists in CodeAgent._execute_python() and stems from executing LLM-generated Python code without key safety controls. Specifically, the published record calls out missing AST validation, missing import restrictions, and missing sandbox enforcement.
For practitioners, the operational impact is straightforward: if an attacker can influence the model’s output through prompt injection or other untrusted input paths, that generated Python may be executed directly on the host. That creates immediate risk of arbitrary command execution, environment secret exfiltration, and downstream compromise of cloud credentials, API tokens, or internal systems.
What Is This Vulnerability?
At the root of this issue is unsafe trust in model output. PraisonAI’s vulnerable behavior, as described by NVD, is that CodeAgent._execute_python() executes Python generated by the LLM without validating the abstract syntax tree, limiting imports, or enforcing a sandbox. In practice, that means the application treats generated code as safe enough to run locally even though the model can be steered by malicious prompts.
This is not merely a “bad response” problem or a content integrity issue. It is a code execution flaw because model output crosses a security boundary and becomes executable input to the Python runtime. If an attacker can inject instructions into the prompt chain, retrieved context, task input, or any other content path consumed by the model, they may be able to cause the model to emit Python that reads environment variables, touches the filesystem, opens network connections, or launches system commands.
The especially dangerous aspect is secret exposure. Environment variables frequently contain API keys, database passwords, cloud access tokens, Git credentials, webhook secrets, and internal service endpoints. If those values are accessible to the process executing generated code, malicious Python can collect and exfiltrate them with very little effort.
From a defensive standpoint, this vulnerability sits at the intersection of LLM application security and classic code injection. Prompt injection is the delivery mechanism; unrestricted Python execution is the exploit primitive. That combination is why the issue rates as critical and why organizations should treat AI agent hosts as potentially fully compromised if exploitation is suspected.
Who Is Affected?
The affected product is PraisonAI, maintained under the MervinPraison / PraisonAI project namespace referenced by NVD. The vulnerable version range published in the available sources is all versions before 1.6.78. The fixed version is explicitly identified as 1.6.78.
If you run PraisonAI in any environment where agents can process untrusted or semi-trusted input, you should assume exposure until you verify the installed version. This includes self-hosted development environments, demo systems, CI workflows, research instances, or production automation where agents are allowed to execute code as part of task completion.
The published description does not provide a narrower subcomponent version matrix beyond identifying CodeAgent._execute_python() as the vulnerable function. In the absence of a more detailed maintainer advisory in the supplied source material, defenders should work from the conservative assumption that any deployment of PraisonAI before 1.6.78 that uses the relevant code execution path is in scope.
Because the flaw involves execution on the host running the agent, impact severity also depends on deployment context. A developer laptop, shared VM, CI runner, container with mounted secrets, or cloud instance role can all amplify the blast radius. Even if the application itself is not internet-facing, exposure can still exist if untrusted content is fed into the model from user prompts, documents, integrations, or external data sources.
CVSS Score Breakdown
NVD assigns CVSS v3.x Base Score 10.0, which is the maximum severity. The compact research note did not include the full vector string, so any component-level interpretation should be treated carefully. Still, the score aligns with the described impact: remote exploitability, arbitrary code execution, and likely complete compromise of confidentiality, integrity, and availability on the host.
A reasonable reading of the severity is that the issue is remotely triggerable through attacker-controlled prompt input, does not require deep prior access to the target host, and can produce high-impact outcomes immediately after code execution. The NVD description explicitly states that attackers can exfiltrate all environment secrets and execute arbitrary code on the host system, which strongly supports severe impact across all three security objectives.
One nuance matters for defenders: the Privileges Required and User Interaction characteristics are not fully recoverable from the supplied compact data. That does not reduce urgency. In real deployments, many AI agent systems inherently process user-supplied or externally sourced content, so an attacker may only need influence over that content rather than authenticated shell or administrative access.
In practical terms, whether the attack path requires a user to submit a task, approve execution, or trigger an agent run will depend on how PraisonAI is integrated. Security teams should therefore score their own exposure based on workflow automation, code execution defaults, reachable inputs, and the privilege level of the account running the agent process.
Exploitation Status
Based on the supplied sources, active exploitation in the wild is not confirmed. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing, which means there is no primary-source KEV confirmation of observed exploitation.
Also based on the supplied sources, a public proof of concept has not been verified. The research note references an NVD-listed GitHub security advisory and a VulnCheck advisory URL, but no directly confirmed public exploit repository or PoC code was available in the retrieved material. That is different from saying exploitation is impossible. The vulnerability description itself is concrete enough that experienced attackers or researchers may be able to reproduce the issue without much difficulty.
Defenders should therefore avoid a false sense of safety. A missing public PoC often only means disclosure is fresh, advisory access is incomplete, or exploit code is circulating privately. For AI agent vulnerabilities involving direct execution of model-generated code, exploit development is often simpler than for memory corruption flaws because the vulnerable behavior is already close to the attacker goal.
Operationally, treat the vulnerability as highly exploitable until proven otherwise, especially if your deployment allows code-capable agents to handle untrusted prompts or documents. If your organization stores cloud, CI, or application secrets in environment variables on the same host, assume post-exploitation objectives will focus on credential theft first.
How to Detect It
Detection should focus on two things: whether a vulnerable version of PraisonAI is present, and whether the host shows signs that LLM-generated Python executed suspicious actions. Because the public record identifies CodeAgent._execute_python() as the risky function but does not provide official IOCs, defenders will need to correlate application activity with process, network, and secret access telemetry.
Start by inventorying PraisonAI versions and identifying where code execution features are enabled. Then review agent task logs, console output, process creation logs, container runtime logs, and outbound network telemetry around times when the agent handled untrusted prompts. Look for signs of Python code reading environment variables, opening shells, invoking subprocess, importing os, socket, or HTTP libraries, or connecting to unfamiliar external endpoints shortly after agent activity.
If your logging captures generated code blocks, search for common exfiltration patterns such as iterating over os.environ, writing temporary files, calling requests.post, or launching shell commands through os.system or subprocess. If generated code is not logged, fall back to EDR, Sysmon, auditd, or container event logs to identify suspicious child processes spawned from the PraisonAI Python process.
Technical Notes
Example Linux process and shell history hunting:
ps aux | grep -i praison
pip show praisonai
python -c "import praisonai; print(getattr(praisonai, '__version__', 'unknown'))"
grep -R -E "os\.environ|subprocess|os\.system|requests\.post|socket|eval|exec" /var/log /opt /srv 2>/dev/null
Example Sysmon-style logic to hunt for suspicious child processes from Python:
ParentImage ends with python or python3
AND (
Image ends with /sh
OR Image ends with /bash
OR Image ends with /curl
OR Image ends with /wget
OR CommandLine contains "env"
OR CommandLine contains "printenv"
)
AND (
ParentCommandLine contains "praison"
OR ParentCommandLine contains "CodeAgent"
)
Example Splunk query pattern for suspicious process execution tied to PraisonAI:
index=edr (process_name=python OR process_name=python3)
(parent_process_command_line="*praison*" OR process_command_line="*CodeAgent*")
(process_name=bash OR process_name=sh OR process_name=curl OR process_name=wget OR process_command_line="*printenv*" OR process_command_line="*os.environ*")
| stats count min(_time) as firstSeen max(_time) as lastSeen by host user parent_process_name process_name process_command_line
Example network hunting idea where the Python process makes unexpected outbound connections after agent execution:
Source process: python/python3 associated with PraisonAI
Destination: new or rare external IP/domain
Timing: within seconds or minutes of an agent task
Protocol: HTTPS or raw TCP from a host that normally does not egress broadly
Because no official network signatures or file-path IOCs were included in the supplied advisories, assume behavior-based detection is more reliable than static indicators for this CVE.
Mitigation and Patching
The primary mitigation is to upgrade PraisonAI to version 1.6.78. The available sources explicitly state that versions before 1.6.78 are affected and that 1.6.78 contains the fix. If you operate any earlier version, prioritize patching immediately.
Patching alone may not be sufficient if you suspect exploitation already occurred. Since the vulnerability can expose environment secrets and run arbitrary code, you should treat the host as potentially compromised. That means rotating API keys, cloud credentials, Git tokens, webhook secrets, and any other environment-based secrets available to the process. Review persistence mechanisms, scheduled jobs, modified files, and recent network activity before declaring the system clean.
If you cannot patch immediately, reduce exposure by disabling or restricting the code execution path used by vulnerable agents. The source material does not provide an official vendor workaround beyond upgrading, so any temporary control should be treated as a risk reduction measure, not a complete fix. Practical stopgaps include isolating the host, removing sensitive environment variables, blocking unnecessary outbound network access, and ensuring the service runs as a low-privilege account inside a hardened container or sandbox.
Technical Notes
Upgrade command examples for Python package deployments:
python -m pip install --upgrade "praisonai==1.6.78"
If you are using a requirements file, pin the fixed version:
praisonai==1.6.78
Then apply and verify:
python -m pip install -r requirements.txt
python -c "import praisonai; print(getattr(praisonai, '__version__', 'unknown'))"
Temporary containment measures if immediate upgrade is not possible:
# Run the service with minimal environment exposure
env -i PATH=/usr/bin:/bin python your_praison_app.py
Example systemd hardening concepts for interim risk reduction:
[Service]
User=praison
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
Environment=
Those controls do not replace the vendor fix. They only reduce the impact surface by limiting accessible secrets and host capabilities. Because the root issue is unsafe execution of model-generated Python, the only confirmed remediation from the published sources is upgrading to 1.6.78.
References
The primary reference is the NVD entry for CVE-2026-61447, which provides the authoritative public summary used in this article. It states that PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() caused by executing LLM-generated Python without AST validation, import restrictions, or sandbox enforcement.
A second key reference is the GitHub Security Advisory under the PraisonAI project namespace. While the supplied retrieval context did not expose the full advisory body, the advisory URL is listed by NVD and serves as the canonical project disclosure location. A third NVD-listed reference points to a VulnCheck advisory URL, but that page was not retrievable in the supplied environment, so it should not be relied on here for details not independently confirmed.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-61447
- GitHub Security Advisory: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xv2-w8cq-5gxw
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- NVD-listed VulnCheck reference: https://www.vulncheck.com/advisories/praisonai-before-remote-code-execution-via-codeagent
If you need to brief stakeholders, the key message is simple: CVE-2026-61447 is a critical RCE in PraisonAI before 1.6.78, exploitation status is not confirmed publicly, and the correct defensive action is immediate upgrade plus secret review and compromise assessment.
For further information on protecting your meeting recordings and transcripts, check out our guide on practical controls that work. Additionally, if you’re interested in understanding more about FIDO2, visit our glossary on what FIDO2 is.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.