PraisonAI RCE Vulnerability (CVE-2026-39890)

Overview

A critical remote code execution (RCE) vulnerability, identified as CVE-2026-39890, exists in the PraisonAI multi-agent system. The flaw resides in how the system parses agent configuration files, allowing an attacker to execute arbitrary JavaScript code on the server.

Vulnerability Details

The vulnerability is in the AgentService.loadAgentFromFile method in versions prior to 4.5.115. This method uses the js-yaml library to parse YAML-formatted agent definition files. The parsing was configured without disabling dangerous JavaScript-specific tags like !!js/function. By crafting a malicious YAML file containing these tags, an attacker can embed and execute arbitrary code during the file parsing process.

Impact

This vulnerability is highly severe, with a CVSS score of 9.8 (Critical). An unauthenticated attacker can exploit it remotely with no user interaction required. By uploading a malicious agent definition file via the public API, they can achieve full remote code execution on the PraisonAI server. This grants the attacker complete control over the system, enabling data theft, deployment of malware, or use of the server as a foothold for further attacks within the network.

Affected Versions

All versions of PraisonAI prior to 4.5.115 are affected.

Remediation

The primary and immediate action is to upgrade PraisonAI to version 4.5.115 or later. This version contains the fix that properly secures the YAML parsing function.

If an immediate upgrade is not possible, consider the following temporary mitigation:

• Restrict Access: If the feature to upload agent files via API is not essential for your operation, restrict network access to the PraisonAI API endpoints using firewall rules or network segmentation.
• Input Validation: Implement strict validation for any uploaded YAML files, though this is a complex and error-prone mitigation compared to applying the official patch.

No workarounds that fully eliminate the risk without upgrading are known. Patching is the only complete solution.

Security Insight

This vulnerability highlights the persistent risk of “trusted” data parsers in modern applications, especially within the rapidly evolving AI toolchain. Similar to past incidents in other ecosystems where parsers like js-yaml or PyYAML were misconfigured, it underscores that the security of an AI/ML platform extends far beyond its core models to include its foundational operational code. As tools like CyberStrikeAI lower the barrier for sophisticated attacks, neglecting basic security hygiene in supporting libraries creates easily exploitable entry points, potentially turning powerful AI automation tools into potent attack vectors.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs