PraisonAI — Four critical vulnerabilities expose multi-agent AI systems to sandbox escape, RCE, and data exfiltration
AI relevance: PraisonAI orchestrates multi-agent AI workflows, making these vulnerabilities critical for securing AI agent ecosystems where multiple autonomous systems interact and execute code across distributed infrastructure.
- CVE-2026-39888 (CVSS 9.9) — Sandbox escape via AST blocklist bypass in execute_code() function
- CVE-2026-39889 (CVSS 8.6) — Unauthenticated SSE event stream exposes all agent activity
- CVE-2026-39890 (CVSS 9.8) — Remote code execution via malicious YAML parsing in js-yaml
- CVE-2026-39891 (CVSS 8.1) — Template injection vulnerability in agent-centric tools
- Vulnerabilities affect PraisonAI versions prior to 1.5.115
- Attackers can achieve full system compromise of AI deployment infrastructure
- Exploitation requires only network access to PraisonAI API endpoints
- Vulnerabilities enable unauthorized data exfiltration of sensitive AI workflows
- Critical for multi-agent AI security where multiple autonomous systems interact
- PraisonAI has released patched version 1.5.115 addressing all vulnerabilities
Why it matters
Multi-agent AI systems like PraisonAI represent the cutting edge of autonomous AI coordination, but these vulnerabilities demonstrate the severe security risks when code execution, data exposure, and agent communication are not properly secured. The ability to escape sandboxes and execute arbitrary code undermines the fundamental security premise of AI agent isolation.
What to do
- Immediately upgrade PraisonAI to version 1.5.115 or later
- Review and restrict network access to PraisonAI API endpoints
- Implement strict input validation for all agent definition files and YAML parsing
- Monitor for suspicious agent activity and unauthorized code execution attempts
- Consider additional sandboxing layers for AI agent execution environments