VulnWatch VulnWatch
← Back to dashboard
High github · GHSA-w6h2-fr4q-xvxv

PraisonAI: Compute-bridged file tools allow shell command injection

Published Jun 18, 2026 CVSS 8.8

Compute-bridged file tools allow shell command injection

Summary

LocalManagedAgent / SandboxedAgent compute bridging wraps read_file, list_files, and write_file when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then sends those strings to shell-backed compute providers.

An attacker who can influence a file-tool path argument can break out of the quoted path and execute arbitrary shell commands in the compute environment. With compute="local", commands execute through the local subprocess compute provider on the host. With Docker, commands execute in the container.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Component: src/praisonai/praisonai/integrations/managed_local.py
  • Confirmed affected:
    • v4.6.10
    • v4.6.56
    • v4.6.57
    • current main at 2f9677abb2ea68eab864ee8b6a828fd0141612e1
  • Confirmed not affected:
    • v4.6.9
    • v4.6.1
    • v4.5.149
  • Suggested affected range: `>= 4.6.10,
Remote Code Execution

Affected AI Products

tool use
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.