External risk intelligence

PraisonAI Code Execution Vulnerability Allows System Compromise

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-61447

PraisonAI is a framework used to build and deploy AI agents. While the underlying code execution component could be integrated into internet-facing applications or web services, the library itself is typically used by developers for automation tasks rather than being a standalone, internet-facing appliance or edge gateway by default.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in PraisonAI allows remote code execution by exploiting how it processes LLM-generated Python code without adequate safeguards, potentially leading to unauthorized access and control of host systems.

  • Code can be run without proper checks.
  • Leadership should remember AI code risks.
  • Verify AI tool security implications.

Attack Path

How an attacker could exploit the issue

An attacker can target the CodeAgent feature by sending specially crafted prompts. This could lead to the execution of arbitrary Python code, allowing for the compromise of the entire system.

  • No special access needed.
  • Crafting prompts to influence LLM.
  • Arbitrary code execution and data exfiltration.

Live Threat

Current exploitation, exposure, and threat context

The PraisonAI CodeAgent can be tricked into running malicious Python code by manipulating its prompts. This could allow an attacker to steal sensitive environment variables and execute arbitrary commands on the host system.

  • Environment secrets and host system.
  • Prompt injection to influence code execution.
  • Unauthorized code execution and data exfiltration.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners responsible for PraisonAI deployments must first identify all instances of the affected technology. Confirming exposure, business criticality, and locating the accountable owner are essential steps before planning remediation.

  • Application owners should manage this issue.
  • Verify PraisonAI instances and exposure.
  • Plan remediation based on risk and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PraisonAI?

PraisonAI is a framework designed for developers to build, orchestrate, and deploy autonomous AI agents. It functions as a library to automate tasks by integrating large language models into software workflows. Users typically deploy it to handle complex agentic processes, meaning it often runs in environments where code generation and execution are central to its automated functionality.

What does CWE-94 mean for CVE-2026-61447?

CWE-94 refers to Improper Control of Generation of Code. In this vulnerability, the CodeAgent component lacks necessary safety checks—such as AST validation or sandboxing—when running Python code created by an LLM. Because the software does not restrict imports or verify the logic it receives, it essentially grants the AI unrestricted permission to execute commands directly on the host operating system.

How can an attacker trigger this code execution?

An attacker triggers this by using prompt injection to manipulate the LLM's output. By crafting specific inputs, they trick the AI into generating malicious Python instructions that the CodeAgent subsequently runs. Simply interacting with the AI agent or the application using it is enough; the bug is not triggered by standard, benign agent usage but specifically by inputs designed to influence the underlying code-generation logic.

Is my system at risk if it uses PraisonAI?

According to Halo Surface Signal, risk depends on how you integrated the library. While PraisonAI is a development framework rather than an off-the-shelf appliance, any application where you have exposed this agentic capability to the internet increases your risk. If your implementation allows external users to send prompts that reach the CodeAgent, your system is directly exposed to potential remote code execution.

How do I respond to this vulnerability?

Your first step is to inventory all applications and automation pipelines in your environment that utilize the PraisonAI framework. Once identified, evaluate whether these instances are accessible to untrusted users or external networks. Prioritize updating the library to a version beyond 1.6.78, which contains the necessary security safeguards, and restrict access to agent interfaces until you have verified the patch status.

References