PraisonAI Flaws Enable Template Injection and Remote Template Code Execution
PraisonAI disclosed two high-severity vulnerabilities affecting its multi-agent teams platform, both tied to unsafe handling of templates. CVE-2026-39891 affects versions before 4.5.115 and allows template injection through agent tool definitions: the create_agent_centric_tools() function returns tools that render file content as templates, so unescaped input supplied via agent.start() can cause template expressions to execute rather than be treated as plain text. The flaw is tracked as CWE-94 and carries a CVSS v3.1 score vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability.
A second issue, CVE-2026-40154, affects versions before 4.5.128 and exposes PraisonAI to remote template code execution through untrusted externally fetched template files. The advisory says the product treated remote templates as trusted executable code without integrity checks, origin validation, or user confirmation, creating a supply-chain attack path for malicious templates. That vulnerability is mapped to CWE-829 with CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. PraisonAI fixed the issues in versions 4.5.115 and 4.5.128, with GitHub advisories published as GHSA-hwg5-x759-7wjg and GHSA-pv9q-275h-rh7x.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40154 advisory published by GitHub
GitHub Security Advisories published CVE-2026-40154 on April 9, 2026, describing an untrusted remote template code execution issue in PraisonAI. The flaw was mapped to CWE-829 and assigned a CVSS v3.1 vector reflecting high confidentiality and integrity impact.
PraisonAI fixes remote template code execution issue in version 4.5.128
PraisonAI fixed CVE-2026-40154 in version 4.5.128, addressing unsafe handling of remotely fetched template files as trusted executable code. The issue affected versions prior to 4.5.128 and created supply-chain attack risk through malicious templates.
CVE-2026-39891 disclosed for PraisonAI
A high-severity vulnerability, CVE-2026-39891, was publicly disclosed for PraisonAI on a GitHub Security Advisory. It was classified as CWE-94 and assigned a CVSS v3.1 score indicating high impact to confidentiality, integrity, and availability.
PraisonAI fixes template injection flaw in version 4.5.115
PraisonAI addressed CVE-2026-39891, a template injection vulnerability in create_agent_centric_tools() affecting versions prior to 4.5.115. The flaw allowed template expressions in unescaped user input from agent.start() to be executed instead of treated as literal text.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PraisonAI flaws allowed auth bypass and second-order SQL injection
PraisonAI, a multi-agent teams platform, disclosed two high-severity vulnerabilities affecting versions before **4.5.97** and **4.5.90**. The more severe issue, tracked as `CVE-2026-34953`, stems from `OAuthManager.validate_token()` returning `True` for tokens missing from its internal store, which is empty by default. That logic flaw lets attackers present arbitrary Bearer tokens to authenticate to the MCP server and gain full access to registered tools and agent capabilities. The vulnerability was classified as **CWE-863** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`. A second flaw, `CVE-2026-34934`, exposed PraisonAI to second-order SQL injection through `get_all_user_threads`. In affected versions before **4.5.90**, the function constructed raw SQL queries with Python f-strings using unescaped thread IDs previously stored in the database, allowing an attacker to plant a malicious thread ID via `update_thread` and trigger injection when thread lists were loaded. The bug could lead to full database compromise and was classified as **CWE-89** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`; both issues were addressed in patched releases published through GitHub Security Advisories.
Apr 4, 2026
PraisonAI Sandbox Bypasses Enabled Arbitrary Code Execution in Agent Python Tools
Two high-severity vulnerabilities in PraisonAI exposed its Python sandbox protections to bypass, allowing arbitrary code execution when untrusted agent code was run. `CVE-2026-39888` affected versions prior to `1.5.115` in `praisonaiagents.tools.python_tools.execute_code()` when `sandbox_mode` defaulted to `sandbox`; the subprocess wrapper relied on a restricted `__builtins__` dictionary and an incomplete AST blocklist that omitted frame-traversal attributes including `__traceback__`, `tb_frame`, `f_back`, and `f_builtins`. By catching an exception and traversing frames, an attacker could recover the real Python builtins from the wrapper frame and invoke `exec`, defeating the intended sandbox restrictions. A second flaw, `CVE-2026-40158`, affected PraisonAI versions prior to `4.5.128` in `_execute_code_direct` within `praisonaiagents/tools/python_tools.py`. That sandbox used AST filtering to block dangerous Python attributes, but only inspected `ast.Attribute` nodes and missed dynamic attribute resolution through built-in mechanisms such as `type.__getattribute__`. Attackers could therefore reach blocked capabilities such as `__subclasses__` through a trampoline technique because the string appeared as an `ast.Constant` rather than an `ast.Attribute`, undermining the protection model until the vendor patched the issue in `4.5.128`.
Apr 10, 2026
PraisonAI Authentication Bypass Scanned Within Hours of Disclosure
Threat actors began probing internet-exposed **PraisonAI** instances within **3 hours and 44 minutes** of public disclosure of `CVE-2026-44338`, a missing-authentication flaw in the product’s legacy Flask API server. The vulnerability, tracked in GitHub advisory `GHSA-6rmh-7xcm-cpxj`, affects versions **2.5.6 through 4.6.33** and was fixed in **4.6.34**. Sysdig said the issue stems from authentication being disabled by default in the legacy `api_server.py`, allowing unauthenticated access to protected endpoints including `GET /agents` and `POST /chat`. Sysdig observed scanning from **146.190.133[.]49** using the User-Agent **`CVE-Detector/1.0`**, with activity focused on validating exploitability rather than full hands-on abuse, as no `POST /chat` requests were seen. Even so, exposed deployments could allow attackers to view agent configurations, trigger workflows defined in `agents.yaml`, exhaust model or API quotas, expose data, or execute downstream actions through connected tools. Defenders were urged to upgrade to **PraisonAI 4.6.34 or later**, retire the legacy API server, restrict exposure of **port 8080**, monitor for unauthenticated requests to `/agents` and `/chat`, and review credentials and billing tied to configured agents.
May 15, 2026