VulnWatch VulnWatch
← Back to dashboard
High github · GHSA-v847-hxxw-3pxg

PraisonAI recipe.run_stream skips dangerous-tool policy enforcement

Published Jun 18, 2026 CVSS 7.8

PraisonAI recipe.run_stream() skips dangerous-tool policy enforcement

Summary

PraisonAI recipe execution blocks default-denied dangerous tools unless the caller explicitly passes allow_dangerous_tools=True. The normal recipe.run() path enforces this with _check_tool_policy(). The streaming path, recipe.run_stream(), loads the same recipe, checks dependencies, and then calls _execute_recipe() without running the dangerous-tool policy check.

As a result, a recipe that honestly declares execute_command in TEMPLATE.yaml requires.tools is denied by recipe.run(), but reaches the execution engine through recipe.run_stream() with allow_dangerous_tools=False.

The local PoV uses a harmless printf canary, explicitly unsets PRAISONAI_AUTO_APPROVE, and avoids network access.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Components:
    • src/praisonai/praisonai/recipe/core.py
    • src/praisonai/praisonai/recipe/serve.py
    • src/praisonai/praisonai/cli/features/recipe.py
    • src/praisonai-agents/praisonaiagents/workflows/yaml_parser.py
    • src/praisonai-agents/praisonaiagents/workflows/workflows.py

Validated affected:

  • current main 2f9677abb2ea68eab864ee8b6a828fd0141612e1 (v4.6.57-4-g2f9677ab)
  • v4.6.57
  • v4.6.56
  • v4.6.10
  • v4.6.9
  • v4.5.128
  • v4.5.120
  • v4.5.96
  • v4.5.87

Suggested affected range: `>= 4.5.87,

Remote Code Execution

Affected AI Products

llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.