CVE-2026-61433
Received Received - Intake

PraisonAI Deployment Config Code Injection Vulnerability

Vulnerability report for CVE-2026-61433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents_file configuration parameters that execute when the generated server starts or handles requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praisonai praisonai to 4.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

PraisonAI before version 4.6.78 has a code injection flaw where deployment configuration values are not properly encoded when generating Python source code for API servers. Attackers can inject malicious Python expressions through the deploy.api.host and agents_file parameters. These expressions execute when the generated server starts or handles requests, leading to arbitrary code execution.

Impact Analysis

This vulnerability allows attackers to execute arbitrary Python code with the privileges of the deployment process. This could lead to unauthorized access to sensitive data like environment variables, local files, model/API credentials, and deployment credentials. Attackers could also manipulate the system to perform unintended actions.

Compliance Impact

This vulnerability could lead to unauthorized access or exposure of sensitive data, violating GDPR and HIPAA compliance requirements. It may result in data breaches, unauthorized processing of personal data, or failure to protect health information, leading to legal and regulatory penalties.

Detection Guidance

Check PraisonAI version with 'pip show praisonai' or 'praisonai --version'. If version is below 4.6.78, the system is vulnerable. Inspect deploy.api.host and agents_file parameters in agents.yaml for suspicious Python expressions or code injection patterns.

Mitigation Strategies

Update PraisonAI to version 4.6.78 or later immediately. Review and sanitize deploy.api.host and agents_file values in agents.yaml to remove any injected Python expressions. Restart affected API servers after update.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart