Overview
CVE-2026-61447 is a maximum-severity (CVSS 10.0) remote code execution vulnerability in PraisonAI, an open-source multi-AI-agent framework. The flaw exists in the CodeAgent._execute_python() method, which executes LLM-generated Python code directly on the host system without any of the safeguards required for safely running untrusted code: no AST validation, no import restrictions, and no sandbox enforcement.
An attacker who can influence what the LLM produces — through prompt injection via user-supplied input, tool outputs, or retrieved documents — can cause arbitrary Python code to run with the privileges of the PraisonAI process.
Technical Details
PraisonAI's CodeAgent is designed to allow AI agents to write and execute Python code autonomously. The vulnerable code path in _execute_python() calls exec() (or equivalent) on the raw string produced by the LLM:
- No AST validation: The generated code is not parsed or inspected before execution.
- No import allow-list or block-list: Modules such as
os,subprocess,socket, andshutilcan be imported freely. - No sandbox: The code runs in the same Python process with access to the full filesystem, environment variables, and network stack.
The attack vector is prompt injection: an adversary embeds a malicious instruction in content the agent processes (e.g., a web page, a document, a tool response, or a chat message). The LLM faithfully includes the attacker's code in its output, and _execute_python() executes it.
Potential Impact
- Credential theft: Environment variables — including API keys, database passwords, and cloud credentials — can be exfiltrated in seconds.
- Full system compromise: Reverse shells, backdoors, and lateral movement are trivially achievable.
- Supply-chain risk: Agents running in CI/CD or DevOps pipelines could be used to tamper with builds or push malicious artifacts.
- Data destruction: The attacker can read, write, or delete arbitrary files accessible to the process.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| PraisonAI | < 1.6.78 | 1.6.78+ |
Remediation
Upgrade immediately to PraisonAI 1.6.78 or later. The fixed release introduces code-execution sandboxing, AST-level validation of LLM-generated code, and import restrictions to block access to dangerous modules.
If an immediate upgrade is not possible:
- Disable
CodeAgentor any component that calls_execute_python()until patching is complete. - Run PraisonAI in a container or VM with no network egress and minimal filesystem access to reduce blast radius.
- Audit all input sources fed to agent contexts for injection payloads.
- Monitor process behaviour for unexpected child processes, network connections, or file writes.
References
Timeline
| Date | Event |
|---|---|
| 2026-07-11 | NVD publication |
| 2026-07-12 | CosmicBytez Labs advisory published |