Code Injection Vulnerability in PraisonAI by Mervin Praison
CVE-2026-61433

8.5HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61433?

PraisonAI versions prior to 4.6.78 contain a code injection vulnerability that arises from inadequate encoding of deployment configuration values during Python source code generation for API servers. This flaw enables malicious actors to inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters. These expressions are executed when the server starts or while handling requests, potentially leading to severe security breaches. Users of affected versions are urged to upgrade immediately to mitigate this risk.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.