LiveActive security incident?Get immediate response
CVE Record

CVE-2026-61447: PraisonAI before 1.6.78 Remote Code Execution via CodeAgent

PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through prompt injection to exfiltrate all environment secrets and execute arbitrary code on the host system.

CriticalCVSS 10Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

PraisonAI versions before 1.6.78 can let untrusted LLM-influenced output become Python code execution through CodeAgent. In practical terms, a prompt injection could turn an AI workflow into host compromise and secret theft. This is a critical issue for any deployment running PraisonAI agents with access to credentials, internal systems, or production data.

Executive priority

Treat as an immediate remediation item for any PraisonAI use in production or connected environments. The business risk is host takeover and credential theft through AI workflow manipulation. Prioritize upgrade and secret exposure review before expanding affected agent deployments.

Technical view

CVE-2026-61447 is a CWE-94 remote code execution issue in CodeAgent._execute_python(). The advisory states LLM-generated Python is executed without AST validation, import restrictions, or sandbox enforcement. An attacker who influences model output through prompt injection may exfiltrate environment secrets and execute arbitrary code on the host. CVSS v4.0 is 10.0.

Likely exposure

Exposure is likely where PraisonAI before 1.6.78 is deployed and CodeAgent executes Python generated from LLM output. Risk is highest for internet-facing or user-influenced agent workflows, and where environment variables contain API keys, cloud credentials, database passwords, or other secrets.

Exploitation context

The sources describe prompt injection leading to arbitrary code execution and secret exfiltration. The CVE is not listed as KEV in the provided bundle, and no cited source states active exploitation. Treat it as high-priority due to unauthenticated network attack characteristics and severe confidentiality, integrity, and availability impact.

Researcher notes

Evidence is limited to the CVE bundle, GitHub advisory, and VulnCheck advisory references. The root issue is unsafe execution of model-generated Python without validation or sandboxing. Do not assume exploitation in the wild from the provided sources. Focus validation on version, CodeAgent usage, prompt influence, runtime isolation, and accessible secrets.

Mitigation direction

  • Upgrade PraisonAI to 1.6.78 or later per the advisory wording.
  • Disable or restrict CodeAgent Python execution until upgraded.
  • Remove unnecessary secrets from PraisonAI host environments.
  • Run agents with least privilege and isolated runtime permissions.
  • Review vendor advisory for any updated remediation guidance.

Validation and detection

  • Inventory PraisonAI deployments and confirm installed versions.
  • Identify workflows using CodeAgent or LLM-generated Python execution.
  • Check whether user-controlled prompts can influence agent execution paths.
  • Review environment variables and secrets accessible to PraisonAI processes.
  • Confirm upgraded systems report version 1.6.78 or later.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-61447 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
0ADP providers
3Source links

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HVulnCheck
10CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H3.96VulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

10Critical
CVSS 4.0 vector shape for CVE-2026-61447Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
MervinPraisonPraisonAI0, 1.6.78unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.