CVE-2026-61447: PraisonAI before 1.6.78 Remote Code Execution via CodeAgent
PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through prompt injection to exfiltrate all environment secrets and execute arbitrary code on the host system.
Security readout for executives and security teams
Plain-English summary
PraisonAI versions before 1.6.78 can let untrusted LLM-influenced output become Python code execution through CodeAgent. In practical terms, a prompt injection could turn an AI workflow into host compromise and secret theft. This is a critical issue for any deployment running PraisonAI agents with access to credentials, internal systems, or production data.
Executive priority
Treat as an immediate remediation item for any PraisonAI use in production or connected environments. The business risk is host takeover and credential theft through AI workflow manipulation. Prioritize upgrade and secret exposure review before expanding affected agent deployments.
Technical view
CVE-2026-61447 is a CWE-94 remote code execution issue in CodeAgent._execute_python(). The advisory states LLM-generated Python is executed without AST validation, import restrictions, or sandbox enforcement. An attacker who influences model output through prompt injection may exfiltrate environment secrets and execute arbitrary code on the host. CVSS v4.0 is 10.0.
Likely exposure
Exposure is likely where PraisonAI before 1.6.78 is deployed and CodeAgent executes Python generated from LLM output. Risk is highest for internet-facing or user-influenced agent workflows, and where environment variables contain API keys, cloud credentials, database passwords, or other secrets.
Exploitation context
The sources describe prompt injection leading to arbitrary code execution and secret exfiltration. The CVE is not listed as KEV in the provided bundle, and no cited source states active exploitation. Treat it as high-priority due to unauthenticated network attack characteristics and severe confidentiality, integrity, and availability impact.
Researcher notes
Evidence is limited to the CVE bundle, GitHub advisory, and VulnCheck advisory references. The root issue is unsafe execution of model-generated Python without validation or sandboxing. Do not assume exploitation in the wild from the provided sources. Focus validation on version, CodeAgent usage, prompt influence, runtime isolation, and accessible secrets.
Mitigation direction
Upgrade PraisonAI to 1.6.78 or later per the advisory wording.
Disable or restrict CodeAgent Python execution until upgraded.
Remove unnecessary secrets from PraisonAI host environments.
Run agents with least privilege and isolated runtime permissions.
Review vendor advisory for any updated remediation guidance.
Validation and detection
Inventory PraisonAI deployments and confirm installed versions.
Identify workflows using CodeAgent or LLM-generated Python execution.
Check whether user-controlled prompts can influence agent execution paths.
Review environment variables and secrets accessible to PraisonAI processes.
Confirm upgraded systems report version 1.6.78 or later.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
0ADP providers
3Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.