PraisonAI Template Injection RCE (CVE-2026-39891)

Vendor-confirmed - CVE-2026-39891 is a high template injection in PraisonAI versions prior to 4.5.115 that grants unauthenticated remote code execution via unsanitized input to the agent.start() function. Upgrade to version 4.5.115 or later to block exploitation.

Overview

A high-severity vulnerability, CVE-2026-39891, has been identified in the PraisonAI multi-agent framework. The flaw allows an attacker to execute arbitrary code on a server running a vulnerable version of the software. This vulnerability is present in versions prior to 4.5.115.

Vulnerability Details

In affected versions, the create_agent_centric_tools() function provides agents with tools, such as acp_create_file, that process file content using a template engine. The vulnerability exists because user input passed to the agent.start() function is not properly sanitized before being processed by these tools. Malicious template expressions embedded in the input are executed by the system rather than being treated as inert text. This flaw is a classic template injection vulnerability, which can lead to remote code execution (RCE).

Impact

With a CVSS score of 8.8, this vulnerability poses a significant risk. An unauthenticated remote attacker with low privileges can exploit this flaw to execute arbitrary commands on the host system. Successful exploitation could lead to a complete compromise of the server, enabling data theft, deployment of malware, or use of the server as a foothold for further attacks within a network. The attack vector is network-based and requires no user interaction.

Remediation and Mitigation

The primary and immediate action is to upgrade PraisonAI to version 4.5.115 or later, where this vulnerability has been patched.

If an immediate upgrade is not possible, consider the following mitigation strategies:

• Input Validation and Sanitization: Review and harden any custom code that passes external input to the agent.start() function. Implement strict allow-lists for expected input patterns.
• Network Segmentation: Restrict network access to the PraisonAI application to only trusted users and systems, minimizing the attack surface.
• Monitor for Anomalies: Deploy monitoring to detect unusual process execution or file creation activities originating from the application server.

For broader context on the challenges of securing AI-powered systems, see our analysis on AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis. The rise of offensive AI tools, as discussed in CyberStrikeAI tool adopted by hackers for AI-powered attacks, makes patching such vulnerabilities even more urgent.

Security Insight

This vulnerability underscores a recurring pattern in emerging AI/ML platforms: the rush to add powerful, agentic functionality often outpaces the implementation of foundational security controls like input sanitization. It mirrors early web application security flaws, where dynamic content generation was introduced without proper safeguards. This incident serves as a reminder that as AI systems gain autonomy and tool-use capabilities, the security of their underlying orchestration engines becomes a critical new attack surface that developers must proactively harden.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs