PraisonAI flaws allowed auth bypass and second-order SQL injection
PraisonAI, a multi-agent teams platform, disclosed two high-severity vulnerabilities affecting versions before 4.5.97 and 4.5.90. The more severe issue, tracked as CVE-2026-34953, stems from OAuthManager.validate_token() returning True for tokens missing from its internal store, which is empty by default. That logic flaw lets attackers present arbitrary Bearer tokens to authenticate to the MCP server and gain full access to registered tools and agent capabilities. The vulnerability was classified as CWE-863 with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
A second flaw, CVE-2026-34934, exposed PraisonAI to second-order SQL injection through get_all_user_threads. In affected versions before 4.5.90, the function constructed raw SQL queries with Python f-strings using unescaped thread IDs previously stored in the database, allowing an attacker to plant a malicious thread ID via update_thread and trigger injection when thread lists were loaded. The bug could lead to full database compromise and was classified as CWE-89 with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; both issues were addressed in patched releases published through GitHub Security Advisories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
GitHub advisory discloses CVE-2026-34954 SSRF flaw
A GitHub Security Advisory disclosed CVE-2026-34954 on April 3, 2026, describing a server-side request forgery vulnerability in FileTools.download_file() in praisonaiagents before version 1.5.95. The flaw stemmed from unvalidated URLs being passed to httpx.stream() with redirects enabled, potentially allowing access to internal services and cloud metadata endpoints, and was patched in version 1.5.95.
PraisonAI fixes Python sandbox escape in version 1.5.90
PraisonAI patched CVE-2026-34938, a Python sandbox escape in execute_code(), in version 1.5.90. The flaw affected praisonai-agents versions prior to 1.5.90 and allowed attacker-controlled code to bypass sandbox protections via a str subclass overriding startswith(), potentially leading to arbitrary OS command execution on the host.
GitHub advisory discloses CVE-2026-34952
A GitHub security advisory recorded CVE-2026-34952 on April 3, 2026, describing a missing authentication flaw in the PraisonAI Gateway server prior to version 4.5.97. The issue allowed unauthenticated network clients to access the /ws WebSocket and /info endpoints to enumerate agents and send arbitrary messages to agents and their tool sets.
GitHub advisory publishes CVE-2026-34953
GitHub Security Advisories newly received CVE-2026-34953 on April 3, 2026, documenting an authentication bypass in PraisonAI. The flaw was classified as CWE-863 and could give unauthenticated attackers full access to registered tools and agent capabilities via the MCP server.
PraisonAI fixes OAuth authentication bypass in version 4.5.97
PraisonAI patched an authentication bypass vulnerability in OAuthManager.validate_token() in version 4.5.97. The issue affected versions prior to 4.5.97 and allowed arbitrary Bearer tokens to authenticate to the MCP server because unknown tokens were incorrectly accepted when the internal token store was empty by default.
PraisonAI fixes OS command injection in version 4.5.69
PraisonAI patched CVE-2026-34935, an OS command injection flaw in MCPHandler.parse_mcp_command(), in version 4.5.69. The issue affected versions 4.5.15 through 4.5.68 and could allow arbitrary command execution via unsafe handling of the --mcp CLI argument.
GitHub advisory discloses CVE-2026-34934
A GitHub security advisory disclosed CVE-2026-34934 on April 3, 2026, describing a second-order SQL injection issue in PraisonAI. The vulnerability was classified as CWE-89 and assigned a high-severity CVSS v3.1 score vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
PraisonAI fixes SQL injection flaw in version 4.5.90
PraisonAI patched a second-order SQL injection vulnerability in get_all_user_threads in version 4.5.90. The flaw affected versions prior to 4.5.90 and could allow an attacker to store a malicious thread ID and later trigger SQL injection for potential full database access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-34953 - PraisonAI: Authentication Bypass in OAuthManager.validate_token()
cvefeed.io
Open sourceCVE-2026-34934 - PraisonAI: Second-Order SQL Injection in `get_all_user_threads`
cvefeed.io
Open sourceCVE-2026-34935 - PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
cvefeed.io
Open sourceCVE-2026-34954 - PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL
cvefeed.io
Open sourceCVE-2026-34952 - PraisonAI: Missing Authentication in WebSocket Gateway
cvefeed.io
Open sourceCVE-2026-34938 - PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PraisonAI Flaws Enable Template Injection and Remote Template Code Execution
PraisonAI disclosed two high-severity vulnerabilities affecting its multi-agent teams platform, both tied to unsafe handling of templates. **CVE-2026-39891** affects versions before `4.5.115` and allows template injection through agent tool definitions: the `create_agent_centric_tools()` function returns tools that render file content as templates, so unescaped input supplied via `agent.start()` can cause template expressions to execute rather than be treated as plain text. The flaw is tracked as **CWE-94** and carries a CVSS v3.1 score vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. A second issue, **CVE-2026-40154**, affects versions before `4.5.128` and exposes PraisonAI to remote template code execution through untrusted externally fetched template files. The advisory says the product treated remote templates as trusted executable code without integrity checks, origin validation, or user confirmation, creating a supply-chain attack path for malicious templates. That vulnerability is mapped to **CWE-829** with CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`. PraisonAI fixed the issues in versions `4.5.115` and `4.5.128`, with GitHub advisories published as **GHSA-hwg5-x759-7wjg** and **GHSA-pv9q-275h-rh7x**.
Apr 10, 2026
PraisonAI Authentication Bypass Scanned Within Hours of Disclosure
Threat actors began probing internet-exposed **PraisonAI** instances within **3 hours and 44 minutes** of public disclosure of `CVE-2026-44338`, a missing-authentication flaw in the product’s legacy Flask API server. The vulnerability, tracked in GitHub advisory `GHSA-6rmh-7xcm-cpxj`, affects versions **2.5.6 through 4.6.33** and was fixed in **4.6.34**. Sysdig said the issue stems from authentication being disabled by default in the legacy `api_server.py`, allowing unauthenticated access to protected endpoints including `GET /agents` and `POST /chat`. Sysdig observed scanning from **146.190.133[.]49** using the User-Agent **`CVE-Detector/1.0`**, with activity focused on validating exploitability rather than full hands-on abuse, as no `POST /chat` requests were seen. Even so, exposed deployments could allow attackers to view agent configurations, trigger workflows defined in `agents.yaml`, exhaust model or API quotas, expose data, or execute downstream actions through connected tools. Defenders were urged to upgrade to **PraisonAI 4.6.34 or later**, retire the legacy API server, restrict exposure of **port 8080**, monitor for unauthenticated requests to `/agents` and `/chat`, and review credentials and billing tied to configured agents.
May 15, 2026
PraisonAI Sandbox Bypasses Enabled Arbitrary Code Execution in Agent Python Tools
Two high-severity vulnerabilities in PraisonAI exposed its Python sandbox protections to bypass, allowing arbitrary code execution when untrusted agent code was run. `CVE-2026-39888` affected versions prior to `1.5.115` in `praisonaiagents.tools.python_tools.execute_code()` when `sandbox_mode` defaulted to `sandbox`; the subprocess wrapper relied on a restricted `__builtins__` dictionary and an incomplete AST blocklist that omitted frame-traversal attributes including `__traceback__`, `tb_frame`, `f_back`, and `f_builtins`. By catching an exception and traversing frames, an attacker could recover the real Python builtins from the wrapper frame and invoke `exec`, defeating the intended sandbox restrictions. A second flaw, `CVE-2026-40158`, affected PraisonAI versions prior to `4.5.128` in `_execute_code_direct` within `praisonaiagents/tools/python_tools.py`. That sandbox used AST filtering to block dangerous Python attributes, but only inspected `ast.Attribute` nodes and missed dynamic attribute resolution through built-in mechanisms such as `type.__getattribute__`. Attackers could therefore reach blocked capabilities such as `__subclasses__` through a trampoline technique because the string appeared as an `ast.Constant` rather than an `ast.Attribute`, undermining the protection model until the vendor patched the issue in `4.5.128`.
Apr 10, 2026