Security Vulnerability Report
中文
CVE-2026-39891 CVSS 8.8 HIGH

CVE-2026-39891

Published: 2026-04-08 21:17:01
Last Modified: 2026-04-22 16:51:31
Source: [email protected]

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE
PraisonAI < 4.5.115

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-39891 # This demonstrates how unescaped input leads to SSTI in PraisonAI < 4.5.115 # Assume we are interacting with the vulnerable agent API endpoint # The vulnerability is triggered when user input reaches 'acp_create_file' # which uses template rendering. malicious_payload = "{{ 7*7 }}" # Basic SSTI test payload # In a real scenario, this input would be sent to the agent.start() method # Example exploit flow: # 1. Attacker sends payload to agent.start() # 2. Input is passed to acp_create_file without escaping # 3. Template engine processes {{ 7*7 }} and returns "49" print(f"Sending payload to trigger template rendering: {malicious_payload}") print("If the application returns '49' instead of the literal string, it is vulnerable.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39891", "sourceIdentifier": "[email protected]", "published": "2026-04-08T21:17:01.403", "lastModified": "2026-04-22T16:51:30.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.5.114", "matchCriteriaId": "B0754891-B47D-441D-A0E6-710A49389AE4"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.