CVE-2026-61445
MervinPraison · PraisonAI
PraisonAI is vulnerable to arbitrary file write and command execution via the AICoder component due to missing path and command validation in LLM tool calls.
Executive summary
A critical vulnerability in the PraisonAI AICoder component allows authenticated attackers to perform arbitrary file writes and execute system commands with root privileges.
Vulnerability
The vulnerability is a path traversal and command injection flaw (CWE-22) occurring within the AICoder component. It requires low-level authentication (PR:L) to interact with the chat interface, where an attacker can inject prompts that bypass path validation to write or execute files on the host filesystem.
Business impact
An attacker who successfully exploits this flaw can achieve full system control by injecting commands that execute with root privileges. With a CVSS score of 9.9, this vulnerability poses a severe threat to the integrity and availability of the entire server environment.
Remediation
Immediate Action: Update PraisonAI to version 4.6.78 or later to apply the necessary path validation and command sanitization patches.
Proactive Monitoring: Monitor filesystem activity for unexpected file creation or modification in sensitive directories, and review shell execution logs for anomalous activity.
Compensating Controls: Implement strict file system permissions and ensure the service runs with the least privilege required, preventing the application from executing commands as root.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The potential for root-level command execution necessitates immediate patching. All users of PraisonAI must update to the latest version to prevent unauthorized system access and potential data destruction.