Unauthenticated Remote Code Execution via Jobs API and Approval Bypass in PraisonAI

Summary

An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two weaknesses: the /api/v1/runs endpoint requires no credentials, and a top-level approve field in the submitted YAML unconditionally bypasses the @require_approval safety decorator on dangerous tools such as execute_command.

Ecosystem: pip | Package: praisonai | Affected: ` depends on the configured LLM following the injected instruction, which is

reliably triggered on any instruction-tuned model.

Attack Chain

Attacker (unauthenticated)
│
├─ POST /api/v1/runs  (no auth check)
│   └─ agent_yaml: approve: [execute_command]
│
├─ yaml_parser.py:261
│   └─ approve_tools = ["execute_command"]
│
├─ workflows.py:1025
│   └─ set_yaml_approved_tools(["execute_command"])
│
├─ LLM follows backstory instruction → calls execute_command("curl ...")
│
├─ approval/__init__.py:179
│   └─ is_yaml_approved("execute_command") → True → BYPASSED
│
└─ shell_tools.py:33 → subprocess.Popen(["curl", ...])
    └─ ARBITRARY COMMAND EXECUTION

Affected Components

Impact

Full unauthenticated remote code execution on any host running the Jobs API. No credentials, no existing session, and no operator interaction required.

Recommended Fixes

Fix 1 — Add authentication to the Jobs API (Critical)

# src/praisonai/praisonai/jobs/router.py
from .auth import verify_token
 
@router.post("")
async def submit_job(
    body: JobSubmitRequest,
    _: None = Depends(verify_token),   # add this
    ...
):

Fix 2 — Remove or restrict the approve YAML field (Critical)

# src/praisonai-agents/praisonaiagents/workflows/yaml_parser.py:261
 
# Option A: remove entirely
approve_tools = []
 
# Option B: allowlist only non-dangerous tools
SAFE_TO_APPROVE = {"web_search", "read_file", "write_file"}
approve_tools = [t for t in data.get('approve', []) if t in SAFE_TO_APPROVE]