External risk intelligence

PraisonAI AICoder Arbitrary File Write and Command Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-61445

PraisonAI is designed as an agentic framework that typically deploys a chat interface or web application to allow user interaction. As these interfaces are often hosted as web services or API endpoints to facilitate accessibility for users or teams, they are commonly exposed to network or internet access.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details critical vulnerabilities in the AICoder component of PraisonAI, stemming from insufficient validation of file paths and commands within its language model tool calls. The issue allows for the potential for unauthorized users to write files anywhere on the system and execute commands with root privileges by crafting malicious prompts through the chat interface.

  • Vulnerability allows attackers to write files and run commands.
  • Matters because it affects AI tools that process user input.
  • Focus on confirming if this AI technology is in use.

Attack Path

How an attacker could exploit the issue

An attacker could start by interacting with the chat interface of PraisonAI. If they have authenticated access, they could then inject specially crafted prompts. These prompts would target the AICoder component, exploiting weaknesses in how it handles file paths and command inputs. Successful exploitation would allow the attacker to write files to any location on the system and run arbitrary commands with the highest level of system privileges.

  • Requires authenticated user access.
  • Inject malicious prompts via chat interface.
  • Gain root privileges and write arbitrary files.

Live Threat

Current exploitation, exposure, and threat context

The AICoder component in PraisonAI could allow an attacker to write arbitrary files to the filesystem and execute commands with root privileges. This could occur when an attacker injects malicious prompts through the chat interface, potentially impacting system integrity and the confidentiality of files.

  • System files and configurations at risk.
  • Malicious prompts via chat interface.
  • Unauthorized file writes and command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The AICoder component within PraisonAI is susceptible to arbitrary file write and command execution vulnerabilities due to improper validation of paths and commands. This impacts users interacting with the chat interface, as attackers can craft malicious prompts to achieve file system modifications and execute shell commands with root privileges. The first practical step is to identify all PraisonAI instances, confirm their network exposure and business criticality, ascertain the responsible application or platform owner, and then prioritize remediation based on the potential impact.

  • Application or Platform Engineering owns the issue.
  • Verify PraisonAI network exposure and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PraisonAI and the AICoder component?

PraisonAI is a framework designed to build and manage multi-agent AI systems. Its AICoder component acts as a specialized tool for generating and executing code based on language model instructions. Users interact with this component via a chat interface to automate development tasks, relying on the system to interpret prompts and execute the necessary logic on the underlying host machine.

How does CVE-2026-61445 create a security risk?

This vulnerability is classified as Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal (CWE-22). Because the AICoder component lacks strict validation, it fails to verify where files are written or which commands are run. When the AI agent processes a malicious prompt, it inadvertently treats the attacker's input as a trusted instruction, allowing it to modify sensitive files or run unauthorized shell commands with root-level system access.

Does interacting with the chat interface always trigger this bug?

No. The vulnerability is triggered specifically when the AICoder component processes a crafted, malicious prompt designed to exploit its missing sanitization logic. A standard, benign conversation with the chat interface does not inherently trigger this behavior; the threat requires a specific, adversarial prompt that directs the agent to manipulate files or execute unauthorized commands.

Is my PraisonAI instance at risk if it is internal?

Halo Surface Signal indicates that PraisonAI is often deployed as a web service or API endpoint to enable team collaboration, frequently resulting in network or internet-facing exposure. While internal instances face a lower risk from external actors, any authenticated user with access to the chat interface can exploit this flaw. You should evaluate access controls regardless of whether the service is internal or public-facing.

How should I respond to the CVE-2026-61445 advisory?

Begin by auditing your infrastructure to locate all active PraisonAI deployments. Confirm the specific version in use, as the vulnerability affects versions prior to 4.6.78. Once identified, consult the official project security guidance to update the software. Work with your platform engineering team to assess the criticality of these instances and restrict access to the chat interface while you coordinate the necessary version upgrades.

References