External risk intelligence

PraisonAI Code Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-61444

The vulnerability resides in an API endpoint (deploy/api.py) used for agent management. Web APIs and application deployment interfaces are commonly exposed or reachable in network environments where AI orchestration tools are utilized, making this a likely target for external or authorized network access.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in PraisonAI technology, specifically concerning code injection through an API parameter. This flaw could allow unauthorized execution of arbitrary Python code on systems running affected versions. The primary concern is to confirm if this technology is in use and assess potential exposure.

  • Unsanitized input allows arbitrary code execution.
  • Leadership should confirm if this technology is deployed.
  • Focus on confirming relevance and understanding exposure.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges could exploit this vulnerability by sending a specially crafted request to the PraisonAI API. This request would target the `deploy/api.py` endpoint, specifically manipulating the `agents_file` parameter. Because this parameter is directly embedded into an f-string without proper sanitization, an attacker can inject arbitrary Python code. When the application generates and executes server code using `subprocess.Popen()`, the injected Python code will run, leading to a critical compromise.

  • Requires administrative access to the API.
  • Injects Python code via the `agents_file` parameter.
  • Allows arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated attacker to execute arbitrary Python code on the server when specific API parameters are processed. This could affect the integrity and availability of the system running the PraisonAI application, and potentially expose sensitive information if the injected code is designed to access it.

  • Server-side code execution.
  • Code injection via API parameter.
  • Compromise of system data and services.

Operational Fix

Recommended remediation, mitigation, and detection steps

The PraisonAI application owner, in conjunction with the platform and security teams, should lead the remediation efforts for this code injection vulnerability. The initial focus must be on accurately inventorying all deployments of the affected technology, assessing their network exposure and business criticality, and identifying the responsible system owner. This information will form the basis for a risk-informed remediation plan, which may involve vendor coordination or the application of compensating controls if immediate patching is not feasible.

  • Application and platform teams own remediation.
  • Verify affected systems and exposure first.
  • Plan risk-based remediation activities.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PraisonAI and how is it used?

PraisonAI is an AI orchestration framework designed to help users build, manage, and deploy autonomous AI agents. It simplifies the process of creating complex agent workflows. Developers and technical teams use it to automate tasks by defining agent behaviors and configurations, often relying on its API components to handle deployment and execution tasks within their server environments.

What does code injection mean for CVE-2026-61444?

This vulnerability is a classic case of improper input validation, specifically categorized as CWE-94: Improper Control of Generation of Code. In PraisonAI, the application takes input from a user and embeds it directly into a command string without cleaning it first. Because this input is processed as executable Python code, it allows an attacker to 'inject' their own commands, which the server then blindly runs with the same permissions as the application.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a crafted request to the API endpoint found in 'deploy/api.py'. By manipulating the 'agents_file' parameter, they can include malicious Python commands. Crucially, the vulnerability relies on the application's internal use of 'subprocess.Popen()' to run server code; if the application is not actively processing a request through this specific endpoint, the code injection cannot occur.

Is my PraisonAI instance at risk of exploitation?

According to Halo Surface Signal, this vulnerability is considered a likely target because it exists in an API endpoint used for agent management. Web APIs that handle application deployment are frequently accessible across network environments where AI tools operate. If your PraisonAI instance is reachable over a network—especially if it is exposed to the internet—the risk of unauthorized access is higher.

What is the first step to address CVE-2026-61444?

The immediate priority is to identify every server in your environment running PraisonAI versions earlier than 4.6.78. Once you have a complete inventory, assess how these systems are connected to your network. Verify whether the affected API endpoint is reachable by unauthorized users and coordinate with your platform teams to apply the vendor-provided update as your primary path to remediation.

References