Remote Code Execution Vulnerability in PraisonAI by Mervin Praison
CVE-2026-61438

7HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61438?

PraisonAI versions prior to 4.6.78 exhibit a vulnerability that allows remote code execution via insufficient validation of abstract syntax trees (AST) in workflow scripts. Attackers can exploit this flaw by crafting malicious YAML files that contain unsanctioned import statements and execute OS commands. The flaw bypasses existing sandbox checks and grants the attacker the ability to run arbitrary commands with the privileges of the process executing the script, posing a significant threat to system integrity and security.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

chakrapani150
.