CVE-2026-60086
Received Received - Intake

Prompt Injection Defense Bypass in PraisonAI

Vulnerability report for CVE-2026-60086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are classified as HIGH threat level and pass through unblocked to reach the model.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mervinpraison praisonai to 4.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60086 is a vulnerability in PraisonAI versions before 4.6.78 where the prompt injection defense mechanism is bypassed. The defense only blocks threats classified as CRITICAL, which requires three or more detector families to simultaneously detect the threat. However, attackers can craft prompt injections classified as HIGH threat level that do not meet this threshold and thus pass through unblocked to reach the AI model.

The root cause is that the system's scan function only sets a block when the threat level is CRITICAL and detected by multiple detector families, ignoring HIGH-level threats. This allows single or double-vector prompt injections, including common attack phrases, to bypass the defense.

Impact Analysis

This vulnerability allows attackers to bypass the prompt injection defenses of PraisonAI and send malicious inputs to the AI model. As a result, attackers can manipulate the system's behavior by injecting crafted prompts that are not blocked.

  • Attackers can execute prompt injections that influence or control the AI's responses.
  • The system may perform unintended actions or reveal sensitive information due to manipulated prompts.
  • Because the defense mechanism fails to block HIGH-level threats, the risk of exploitation is significant even without complex attack vectors.
Detection Guidance

The vulnerability involves prompt injections classified as HIGH threat level bypassing the defense mechanism because it only blocks CRITICAL threats detected by three or more detector families simultaneously.

Detection would involve monitoring for prompt injection attempts that include common single-vector injection phrases such as "Ignore all previous instructions" or other suspicious inputs that could be classified as HIGH threat but not blocked.

Since the vulnerability is related to the internal prompt injection defense logic of PraisonAI, direct network or system commands to detect this vulnerability are not explicitly provided in the available resources.

However, general detection could include logging and analyzing inputs sent to PraisonAI for suspicious prompt injection patterns and monitoring for unexpected model behavior triggered by such inputs.

Mitigation Strategies

Immediate mitigation steps include updating PraisonAI to version 4.6.78 or later, where the prompt injection defense bypass vulnerability has been addressed.

If updating is not immediately possible, consider implementing additional filtering or sanitization of inputs classified as HIGH threat level, rather than relying solely on blocking CRITICAL threats.

Suggested fixes from the advisory include blocking at the HIGH threat level, treating single dangerous-category detections as sufficient to block, or implementing the documented "sanitize" action for HIGH-level threats.

Additionally, treat the regex detection set as advisory rather than the primary gate to improve defense against prompt injections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart