CVE-2026-39891

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.115

Description A flaw exists in PraisonAI where user input from agent.start() is directly passed into template-rendering tools like acp create file without proper escaping. This allows execution of template expressions within the input, rather than treating them as literal text. Specifically, the create agent centric tools() function returns tools that process file content using template rendering. The lack of input sanitization, auto-approval of operations, and missing context-aware escaping for template syntax enables attackers to execute arbitrary system commands with the privileges of the running process. A proof-of-concept demonstrates the creation of a file /tmp/pwned through a malicious template expression injected via agent.start(). This compromises the host system, potentially leading to data theft, ransomware deployment, or lateral movement.

Recommendations Prior to version 4.5.115, implement strict whitelist validation for file content. Enable auto-escaping of template syntax characters using Jinja2 autoescape=True. Restrict template execution environments using secure eval modes. Require manual approval for file creation operations in production.