Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1852+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution
CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-61447

CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that exploit the CodeAgent's unsandboxed LLM-generated Python execution pipeline.

Dylan H.

Security Team

July 12, 2026
3 min read

Affected Products

  • PraisonAI < 1.6.78

Overview

CVE-2026-61447 is a maximum-severity (CVSS 10.0) remote code execution vulnerability in PraisonAI, an open-source multi-AI-agent framework. The flaw exists in the CodeAgent._execute_python() method, which executes LLM-generated Python code directly on the host system without any of the safeguards required for safely running untrusted code: no AST validation, no import restrictions, and no sandbox enforcement.

An attacker who can influence what the LLM produces — through prompt injection via user-supplied input, tool outputs, or retrieved documents — can cause arbitrary Python code to run with the privileges of the PraisonAI process.

Technical Details

PraisonAI's CodeAgent is designed to allow AI agents to write and execute Python code autonomously. The vulnerable code path in _execute_python() calls exec() (or equivalent) on the raw string produced by the LLM:

  • No AST validation: The generated code is not parsed or inspected before execution.
  • No import allow-list or block-list: Modules such as os, subprocess, socket, and shutil can be imported freely.
  • No sandbox: The code runs in the same Python process with access to the full filesystem, environment variables, and network stack.

The attack vector is prompt injection: an adversary embeds a malicious instruction in content the agent processes (e.g., a web page, a document, a tool response, or a chat message). The LLM faithfully includes the attacker's code in its output, and _execute_python() executes it.

Potential Impact

  • Credential theft: Environment variables — including API keys, database passwords, and cloud credentials — can be exfiltrated in seconds.
  • Full system compromise: Reverse shells, backdoors, and lateral movement are trivially achievable.
  • Supply-chain risk: Agents running in CI/CD or DevOps pipelines could be used to tamper with builds or push malicious artifacts.
  • Data destruction: The attacker can read, write, or delete arbitrary files accessible to the process.

Affected Versions

ProductAffectedFixed
PraisonAI< 1.6.781.6.78+

Remediation

Upgrade immediately to PraisonAI 1.6.78 or later. The fixed release introduces code-execution sandboxing, AST-level validation of LLM-generated code, and import restrictions to block access to dangerous modules.

If an immediate upgrade is not possible:

  1. Disable CodeAgent or any component that calls _execute_python() until patching is complete.
  2. Run PraisonAI in a container or VM with no network egress and minimal filesystem access to reduce blast radius.
  3. Audit all input sources fed to agent contexts for injection payloads.
  4. Monitor process behaviour for unexpected child processes, network connections, or file writes.

References

  • NVD — CVE-2026-61447
  • PraisonAI GitHub

Timeline

DateEvent
2026-07-11NVD publication
2026-07-12CosmicBytez Labs advisory published
#CVE#RCE#AI Security#Prompt Injection#PraisonAI#Critical

Related Articles

CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls

A CVSS 9.9 critical vulnerability in PraisonAI before 4.6.78 allows attackers to write files to arbitrary filesystem locations and execute arbitrary OS commands by injecting malicious prompts through the AICoder chat interface.

3 min read

CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends

A CVSS 9.8 critical SQL injection vulnerability in PraisonAI before 4.6.78 allows attackers to exploit the unvalidated dimension argument in PGVector and Cassandra knowledge-store backends to execute arbitrary database queries.

3 min read

CVE-2026-13353: WordPress WP Ultimate CSV Importer RCE via MappedFields Parameter

A critical CVSS 8.8 remote code execution vulnerability in WP Ultimate CSV Importer allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites running versions up to 8.0.1.

3 min read
Back to all Security Alerts